I did some consulting at a place last year where the engineers all used a very popular cloud storage service. It’s a service I personally like as well, but when I found out that this group was storing customer RFP’s and other nonsense there, I highly recommended they get that crap the hell OFF of there and store it internally. The service didn’t explicitly say, “Your stuff is safe here,” especially since for non-corporate users it’s free. The service said, “Here is the extent of our security. You’ll like it, but we make no stipulations.”
My stance at the time was, a SAS or other auditor would shred the team if they knew where sensitive customer stuff was being kept. “It’ll be fine,” I was told in a very dismissive manner. I did convince them to get certain kinds of docs off there, although internal docs still got uploaded.
Welllllll, a couple of months ago that cloud storage service was sued, because of a bug they introduced that allowed accounts to be accessed without passwords for roughly four hours on one particular evening. Ouch. I’m not saying to abandon ship on these guys. I still have customers who use them. I’m a little disappointed in them, in as much as they introduced the problem themselves. There’s a good chance that nothing in fact was compromised, but the window was certainly there. The service did the right thing by notifying all users whose accounts were accessed in that period (comprising less than one percent of their total base, although it’s still a lot of users). They took responsibility.
The cloud is the direction everybody’s heading. Outsource. Don’t run your own servers. Make everything you can an operating expense, not a capital expense. Make somebody else liable for uptime and upkeep. Oh, and security. But remember, it doesn’t matter how many things you sign, how many security stipulations your providers provides, how many references they have. If they allow a breach, and it affects your customers and/or employees, you will still be on the hook. You can’t point and say, “It was that damned cloud company that allowed our social security numbers out.” It will be somebody else pointing at you and saying, “You’re the idiot who picked them.”
So when you’re choosing that cloud vendor, first picture all the stuff YOU would put in place if you were hosting the platform yourself. What authentication and authorization mechanisms would you use? How would you protect against malicious packages (bad SQL, XML, SOAP calls)? How would you protect the data itself in the event somebody hacked through the DMZ?
Then ask your potential cloud vendor what their equivalents are. It’s their service, but your liability.