Mike, a formerly self-employed graphic designer, was recently hired on full-time as a marketing associate at Worldwide, Inc. While he was working as a freelancer, Mike made regular, liberal use of cloud-based services like Dropbox and Adobe’s Creative Cloud. “Cloud” storage services, which house users’ files on servers maintained in the provider’s physical plant(s), allowed Mike to access all of his data using multiple devices, from almost any physical location.

Access to these services was essential for sharing designs with clients, collaborating on projects with other designers, and allowing him to work from home, the road, or wherever he happened to be. Mike frequently used the “public” folders in these cloud services to simultaneously share projects and files with multiple stakeholders (see Figure 3-1). In contrast with this open-form approach, his new employer maintains a contract with a specific cloud provider, Microsoft OneDrive. Worldwide requires that all company data stored in the cloud be on OneDrive.

However, because Mike only recently signed on at Worldwide, he is still used to the storage patterns he adopted as a freelancer. He keeps software and work files in his personal cloud accounts. Because he uses some of those data in his new position, he continues using Dropbox and Creative Cloud when it’s convenient. He also uses these services when outside contractors (e.g., an offset printer) prefer to use a service other than OneDrive. A couple of months after Mike joined Worldwide, it emerges that some of the company’s proprietary data has been obtained by a competitor. Worldwide’s investigative team immediately launches a full audit of current data storage and sharing systems to locate the source of the breach. Mike’s use of non-approved cloud providers and public storage (available to anyone!) is one of many employee violations uncovered during this audit.

What Is “The Cloud”?

Although the term has become part of the current vernacular and ubiquitous in conversations on issues of data storage, access, and retrieval, there is a lot of misunderstanding and misinformation surrounding cloud computing. Many users put faith in the cloud, and make a host of operational assumptions about the way it functions, but most don’t have well-developed answers to the questions “What is ‘cloud computing’?” or “What does it actually mean to store data in the ‘cloud’?” Given increasing online vulnerability, and a constantly changing cyber landscape, not knowing the answers to these questions can lead to uninformed decisions with extremely serious consequences.

The “cloud,” which has become a quasi-technical term, actually refers to a system of networked, physically separated, interconnected computers. The computer (or other equipment) can be in a different physical location from the user, but the size of the network space created by these connections is defined by virtual—and not physical—dimensionality. Users storing data on Google Drive, Microsoft OneDrive, or Apple’s iCloud store their data in network spaces defined by virtual connections between computers hundreds or thousands of miles from their physical point of contact with this space.

Practically, cloud computing for average “retail” users wasn’t feasible until high-speed Internet connectivity became relatively inexpensive and conveniently available in homes and businesses. Before the data “pipe” could be widened to coincide seamlessly with modern computing requirements, there was no market for the cloud. No one wanted a service that required 20–30 minutes to open a file!

Once affordable retail connection speeds became sufficient, cloud computing gained momentum. Amazon is credited with starting the first major cloud service with the 2006 launch of Amazon Web Services. This allowed external customers, which were primarily small businesses, to purchase storage and application space on Amazon’s servers. Several major technology companies have since begun to offer cloud services. These second-generation providers have primarily focused on individual users.

Among these later entrants is Apple, whose service started as MobileMe in 2008, became iCloud in 2012, and added iCloud Drive in 2014. Microsoft launched Windows Live Folders in 2007, which is now known as OneDrive. Google launched Google Docs in 2007, with limited cloud storage, transitioning to Google Drive in 2012. Adobe launched Creative Cloud in 2011. Several relatively new, smaller providers have quickly found success in this growing market as well, including Box, which launched in 2005; Dropbox, which launched in 2008; and CloudMe, which launched in 2011. These providers use a range of business models to sustain their market offerings.

For example, Google uses Drive as a way to tie users into what is broadly known as the “Google Ecosystem.” Use of one system in this suite tends to encourage the use of other Google products. Google derives value from this approach because it facilitates a more fluid gathering of customer data, which in turn increases the effectiveness of customer-focused advertisements. Box and Dropbox (among others) offer their basic services for free, with the objective of enticing customers to upgrade their account status to a more advanced fee-based version of the service.

Cloud Controversy and Risks

Propelled by increasing privacy and fair-use sensitivity, the cloud market has seen recent content-domain controversy. In 2012 the photo-sharing cloud service Instagram, now a subsidiary of Facebook, made headlines. Instagram revised its terms of service with ongoing users so that it could use their photos in advertisements at the company’s own discretion, with no compensation to end users. After a flurry of bad press in a wide range of trade journals and general media outlets, Instagram reversed its stance and omitted the change-of-service terms.

Instagram did this, even though it had no legal obligation to do so. Instagram had every legal right to change the terms of service with users of its free product! When users upload photos, or any other data—be they sensitive client data or employee social security numbers—to a cloud-based service, an explicit agreement has been made to the terms of that service. It is critical to investigate those terms thoroughly before putting your data into the system, to ensure that the host service isn’t going to use your data in ways with which you would disagree—or in a manner that could put the privacy of your clients’ data at risk.

In light of changing work patterns, and increasing market sensitivities, many corporations, government agencies, and educational institutions have begun to formalize relationships with specific cloud providers. Organizations are realizing that their employees can use these tools to increase collaboration and productivity. If employees are going to use these cooperative tools, the sponsoring organization should follow best practices to avoid unwanted front-page attention.

Formalizing an Informal Relationship

Private consumers use cloud services in a wide variety of ad hoc ways, which is only to be expected in light of both the relative novelty of the service itself and users’ far-ranging data storage and access requirements. Public organizations or other large collectives that incorporate the cloud as an element of their official business processes should, however, explicitly formalize all aspects of their relationship with the cloud provider. It is essential to define costs, allotments, and service-level agreements. If you are a manager, director, or supervisor, or occupy another senior-level position in your organization, educate your employees! If they’re allowed to use only the sanctioned cloud provider, for example, enforce this directive through well-articulated human resources (HR) or information technology (IT) policies. The way the organization wants the cloud to be used by employees must be clearly indicated in rules bearing on this approach. It is also critical to inform employees about what sorts of data can or can’t be stored in the cloud.

For example, the University of Virginia has a partnership with Box, allowing all faculty, students, and staff to have up to 50GB of storage space at no cost to end users. The university defines what kinds of data are allowed to be stored in Box and what types are prohibited. The university also provides formal guidance and written policy on how to share files via Box with non-university personnel. With the goal of limiting collateral damage, the university also strongly discourages faculty and staff from storing university data with any other cloud storage provider. This policy benefits the University of Virginia by standardizing the cloud provider used. It also benefits faculty, students, and staff because they have a substantial volume of storage space available to them free of charge.

However, because it is an “official” collaboration, the university also has to provide technical support for faculty, students, and staff using the service (which is actually another benefit for university personnel). Organizations without an official cloud provider or set of controlling policies may find employees using a variety of cloud services, with no consistency. As with the “bring your own device” (BYOD) trend, the term “bring your own cloud” (BYOC) has been coined to describe employees doing just that. As we saw with our graphic designer “Mike” at the beginning of the chapter, it is critical that even companies with “official” cloud arrangements be aware that their employees may be using “unofficial” or unauthorized cloud providers, and take steps to intercede before a data breach.

Data Breaches

For all the hype surrounding the cloud, there is nothing sacred or pristine about a cloud storage approach to safeguarding your data. These data aren’t being kept in an impenetrable vault. The data you store in the cloud are only as safe as systems-in-place make them. Data stored by a cloud service—even a paid service—can be stolen. Numerous recent examples have gotten publicity in the computing press over the last several years.

In 2010, a Microsoft small-business cloud service inadvertently exposed customers’ address books to public download. Although the issue was reportedly resolved shortly after being discovered, “illegitimate” downloads of customers’ data were detected. PCWorld reported that these losses were incurred as a consequence of what a director of communications for the compromised site referred to as “a configuration issue.”¹

In 2013, a university-based teaching hospital in Oregon found that physicians and staff in both its Division of Plastic and Reconstructive Surgery and Department of Urology and Kidney Transplant Services were storing patient data, including names, social security numbers, ages, diagnoses and addresses, on Google Drive. Although this practice violated both hospital policy and the 1996 Health Insurance Portability and Accountability Act (HIPAA), the physicians and staff were storing sensitive data on Google Drive to make it easier to share information about patients. The HIPAA-protected data of more than 3,000 patients were exposed to theft. Such incidents are not without precedent at this hospital: mHealthNews reported that in 2009, the personal health information of roughly 1,000 patients was stolen from an employee’s unencrypted laptop, and in 2012 the personal health information of 14,000 patients was stolen from an employee’s unencrypted thumb drive.²

Perhaps most alarmingly in light of the intense focus the topic has received in the media, in 2013 Adobe’s cloud services were hacked…again. In what is likely the largest security breach that Adobe has experienced to date, hackers were able to break into Adobe’s servers and steal customer names, IDs, passwords, encrypted credit and debit card numbers, expiration dates and other core customer-specific information. This attack exposed nearly 3 million customers to the loss of their most sensitive financial data. Talkin’ Cloud reported that the actual extent of the damage to customers using the cloud service may never be fully determined.³ These breaches are occurring not merely with off-brand providers with small security budgets and less-than-current market knowledge. These substantial, costly, high-profile breaches are occurring at top-tier technology firms, with well-established brands and world-class reputations…in the firms’ primary domain of expertise.

Not Just for Storage Anymore

Cloud computing has its origins in data storage, but it has evolved to include applications as well as data. More and more, software is being offered as a service rather than as a product. For example, Adobe’s Creative Cloud bundles graphics, design, and web applications into various suites. In a departure from the conventional retail approach, these products are only sold digitally. Users cannot purchase Adobe Creative Cloud in retail packaging for a one-time fee. It is available only through subscription. Microsoft’s Office365 product operates in a similar way with the Office productivity suite.

This emergent configuration offers several advantages to users, who get all future product updates included in their subscription, without paying additional fees. The products can be legally installed on multiple computers and mobile devices (often with restrictions on concurrent usage). They can be easily downloaded and installed on newly purchased devices without having to keep up with physical disks and serial numbers because everything is digital. Subscriptions also may include upgraded versions of cloud-based storage that are better than the free version. However, the brave new world also introduces several disadvantages. Monthly or annual subscription fees are required. If the user stops paying then the software stops working–as compared with “boxed” retail software, which can be used indefinitely once purchased. Because the products are virtual, a constant (or near-constant) Internet connection is required, so that the software can verify that the user still has a valid subscription license.

For corporate users, “software as a service” also introduces administrative complexity for software auditors. When an employee leaves the company, the firm has to ensure that company-licensed software subscriptions are no longer available to that individual. Current employees also may install personal software subscriptions on corporate machines. IT administrators may be unaware of this software, which can lead to security risks and unwanted headlines.

Offering users (like “Mike,” at the beginning of the chapter) access to various applications is one way that cloud providers seek to stand out from the competition. For example, providers like Box and Dropbox operate as storage-only services. As their names imply, they are simply “boxes” into which users can dump their data. They don’t offer additional software functionality options.

At the other end of the market spectrum in the cloud space, companies such as Microsoft and Adobe are leveraging existing applications that most users are likely to be familiar with—applications like Word, Excel, and Photoshop—to make their cloud offerings more appealing and to differentiate themselves in the market. Yet, Microsoft OneDrive, which integrates with the Office suite of applications, doesn’t help users like Mike who may need access to Illustrator, which is an Adobe product. This kind of functional segregation between storage and software platforms (across competing entities like Microsoft and Adobe) is one of the reasons why some employees may still use unapproved cloud services, outside of the official agreements that their companies maintain with a sanctioned provider.

Reliability

While security is critical, cloud services also need to be reliable. Dependence on Dropbox, OneDrive, or another provider means that all of the data that a salesperson on the road, an engineer in the field, or an executive in the air may need is stored in the cloud. What happens if the cloud service is unavailable? Employees “in the office” have file backups, local file servers, or other alternate locations where their critical data are stored. If the salesperson, the engineer, the executive, or anyone on the road has been relying heavily on cloud storage, that individual is out of luck. This isn’t mere post-apocalyptic fantasy. In May 2014 Adobe’s Creative Cloud was offline for more than 24 hours. In 2013, Dropbox suffered two separate incidents, taking the service offline for approximately 16 hours for each event. This is a lifetime when a client is waiting for a proposal or a security code needs to be entered.

If a company is paying for cloud services, the service-level agreement (SLA) often will include an uptime guarantee (typically 99.9 percent or more). The agreement may include financial compensation in the event of breach of warranty. This compensation can help to offset productivity losses incurred by downtime, but it can do little to repair damaged reputations when the salesperson, the engineer, or the executive drops the ball for a clamoring client. For free / consumer-focused cloud services, of course, there is no such uptime guarantee. A freelancer or small business that depends on Dropbox or iCloud Drive may lose productivity and income when services go down, and get nothing in return except lost business.

Accessibility

As a point of functional definition, cloud computing depends on a nearly constant Internet connection. If a connection is unreliable, or goes down completely, the cloud model can’t work. What operational concessions need to be made for users on the road or in remote locations where Internet access is uncertain? When accessing cloud-stored data from “the road”—hotels, coffee shops, convention centers, etc.—it is also essential to consider the security of the wireless network being used. If the Wi-Fi network at the convention center, for example, is open to all attendees, some of these are likely to be competitors with interest in your data! Best practice avoids leaving proprietary corporate data vulnerable over an open wireless network. Many organizations use a VPN (virtual private network) service to secure data transmission when employees are away from the office. For individual users, like caution is advisable. Don’t open your tax records or other private financials stored in the cloud from an open Wi-Fi network. It is bad practice. We offer detailed discussion of wireless network security and VPN usage in Chapter 5.

What Should You Do?

As with any new device or service that has a broad range of functionalities that may or may not be germane to your needs, it is important to think about how and why you need to use a cloud service. Valid reasons for using cloud-based storage may include as a backup to your computer(s) and device(s). The cloud offers a convenient way to increase the likelihood that a blue screen of death or a “dropped-in-the-toilet” moment won’t mean the loss of all of your data. The cloud also offers increased access to data across multiple locations and devices and a way to share files with colleagues, friends, and family. It is just much easier to share data on the cloud than with conventionally anchored tools.

Given the importance of maintaining the integrity of your files, it is critical to take the time to do some research on the reliability, security, and offerings available through various service providers. For most users, this kind of digging into company backgrounds to figure out the best cloud service provider probably seems complicated (and time consuming). Even if you did do some poking around on your own, there’s no guarantee you’d find anything useful or that you’d be able to determine what information was the most pertinent for this purpose. Third-party media sources, such as Consumer Reports, PCWorld, MacWorld, and CNET.com, that regularly and objectively review a wide range of these services can be extremely useful when sorting through background issues that are important to consider before choosing a provider.

The way you use the cloud can directly impact how well protected your data are. Be extremely careful using any kind of cloud service from public computers or over public networks or open wireless networks. You should seriously consider not accessing any of your sensitive data from public computers or over open networks. The risk is real. If the data are important, accessing them in this way is just not smart policy.

The structure of the data storage system also is critical for maintaining the integrity of your data. Many providers maintain a “public” folder where you can easily stash files or send links to someone to whom you want to give access to those files. Although these folders are extremely convenient, someone you don’t intend to could just as easily gain access to your data. A critical rule of thumb is if you don’t intend for a file to be public, don’t put it in the public folder!

For most (if not all) of us who work for someone else, operating within the rules of your firm’s Information Security (IS) policies serves several essential (perhaps universal) goals: safeguard internal communications, protect clients’ data, maintain employees’ privacy, limit competitor threats. The structure of virtual systems is inherently porous and vulnerable. It is critical to be aware of—and operate according to—your company’s cloud data storage policies. If your company prohibits the storage of work-related data on the cloud, don’t do it! If your company offers in-house cloud storage (which is increasingly the norm in larger firms with a professional, full-time IT staff), or has an exclusive formal contract with a cloud provider, use that “official” provider.

If you use commercial cloud services, you will often receive communications intended to increase the security of your data. Although tempting, don’t spam-filter these e-mails or texts; they likely contain relevant information on the services you’re using. Pay attention to news reports on cloud security or cloud breaches. If you hear that your provider has suffered a data breach, or that it’s been hacked, immediately change your password. It’s also important, periodically, to review the data you’ve stored on the cloud, and remove files you no longer need to store there. Don’t just “stash and forget.”

Additional Reading

For more on how to navigate the cloud, see the following links, and visit our web site at www.10donts.com/cloud:

• NetworkWorld, “5 Tips to Keep Your Data Secure on the Cloud,” a broad overview of cloud safety: www.networkworld.com/article/2172750/cloud-computing/5-tips-to-keep-your-data-secure-on-the-cloud.html
• Computerworld, “5 Online Backup Services Keep Your Data Safe,” with advice on keeping your critical data duplicated off-site: www.computerworld.com/s/article/9223805/5_online_backup_services_keep_your_data_safe
• Forbes, “Why the Cloud Is a Safe Deposit Box for Your Data,” www.forbes.com/sites/sungardas/2014/04/28/why-the-cloud-is-a-safe-deposit-box-for-your-data/
• PC Magazine, “20 Top Cloud Services for Small Businesses,” with detailed analysis of cloud services as they relate to business needs: www.pcmag.com/article2/0,2817,2361500,00.asp
• CNet, “OneDrive, Dropbox, Google Drive, and Box: Which Cloud Storage Service Is Right for You?,” a more consumer-focused look at cloud services: www.cnet.com/news/onedrive-dropbox-google-drive-and-box-which-cloud-storage-service-is-right-for-you/

______________________________

¹PCWorld, Andrea Udo de Haes, “Microsoft BPOS Cloud Server Hit with Data Breach,” www.pcworld.com/article/214591/Microsoft_BPOS_cloud_service_hit_with_data_breach.html, December 22, 2010.

²mHealthNews, Erin McCann, “Latest Hospital Data Breach Involves Cloud Services,” www.mhealthnews.com/news/latest-hospital-data-breach-involves-cloud-services, July 29, 2013.

³Talkin’ Cloud, Chris Talbot, “Adobe Data Breach: Will Skeptical Cloud Users Exit?” http://talkincloud.com/saas-software-service/adobe-data-breach-will-skeptical-cloud-users-exit, October 4, 2013.