Commentary- Data loss is an all too common a theme in the news these days. The recent Sidekick outage, however, stands out for several reasons but most importantly because the data loss affected both customer contact information as well as customer’s files such as images and schedules. Let’s put aside who is at fault in this particular situation and whether cloud computing introduces data loss risks, which ultimately became the focus of this controversy, and instead look at this from a consumer’s point of view.
As consumers, we have two options of storing our digital data: locally or elsewhere in the cloud. A good analogy would be the option of storing your savings under your mattress or in an online bank. Of course, that decision is a personal one, but it is also commonly confused by technical discussions that are not really interesting or important to laymen. In the case of the Sidekick outage, discussion has been skewed because subtle but important differences in the value of customer data such as personal files compared to application-specific data such as IDs, passwords and the like are often overlooked.
When data loss happens, usually the number of records lost or stolen containing information which identifies the customer is reported; information such as credit card data, bank account numbers, passwords, addresses and phone numbers. Does this prove that only customer-identifying information is usually at risk, hence we should spend most of our efforts protecting it? The obvious answer may not be the right one. Let me paraphrase an anecdote I learned in a statistics course to further illustrate that point.
A wartime aviation engineer needed to solve the problem of planes being lost to small arms fire from the ground. He examined hundreds of planes on major combat airfields and repair facilities, and mapped all bullet holes to the primary parts of planes. He discovered that almost all of the planes available for study had a large number of bullet holes on the wings—almost none were hit in the body and tail areas. You probably already know the solution the engineer devised, which was that he proposed reinforcing the body and tail areas of the planes with additional armor. His logic was simple: Planes that were hit in the wings were coming back, whereas planes that were hit in the tail or body area were not returning to base. (Robert Bartoszyński, 2008)
Applying this principal of protection to our discussion of data loss, we can infer that passwords and other identifying information are important, but not as important as the actual documents that contain information of monetary or other value. For example, if a password theft is detected, simply changing the password protects the victim. However, if a file is lost or stolen sometimes as a result of compromised password, there usually is no remedy other than cutting the loss. Additionally, where the cost of a lost password is fairly static, the cost of lost information is highly variable.
Data is king – but the emperor has no clothes these days. Much more attention and IT budget is spent protecting network perimeters, assuring high availability of applications and databases instead of protecting unstructured customer data. The data – not the service – should be important for customers. What value is restored service to anybody if they then must manually restore from backup? Presuming there is a backup, which is not always the case.
Despite questions raised following the Sidekick outage, this is where the cloud can help. Consumers do not have to worry about backups with best-in-class cloud vendors who utilize the economy of scale that clouds bring both for resources and expertise. The cloud is best positioned to correctly implement the security triangle of Confidentiality, Integrity and Availability for consumers and business alike, because it can have complete control over all aspects of the systems: the applications, the environments, the people and the processes.
Mushegh Hakhinian is a security architect at IntraLinks, a company which provides on-demand solutions for businesses to collaborate, communicate and exchange critical information inside and outside the enterprise.