History, Sailing, Security

When Can You Trust Cloud Providers?

Leave a comment
The Raft of the Medusa by Géricault depicts service provider incompetence of 1816: “Crazed, parched and starved, they slaughtered mutineers, ate their dead companions and killed the weakest”

Our first book detailed the infrastructure risks in cloud environments. It gave basic instructions for how to make it safe to build a cloud.

However, I realized right away that a second book would be necessary as I saw operations going awry. People offering data “services” in cloud environments were doing so unethically.

That’s why since 2013 I’ve been working on tangible, actionable solutions to problems in cloud environments like the impostor CISO, the immoral SRE, and the greedy CEO.

It has been a much harder book to write because The Realities of Securing Big Data crosses many functional lines in an organization from legal to engineering, sales to operations. A long-time coming now, it hopefully will clarify how and why things like this keep happening, as well as what exactly we can do about it:

We recently found that some email addresses and phone numbers provided for account security may have been used unintentionally for advertising purposes. This is no longer happening and we wanted to give you more clarity around the situation: https://help.twitter.com/en/information-and-ads

…and that led to everyone asking an obvious question.

You may remember a very similar incident last year and wonder why nobody at Twitter thought to test their systems to make sure they didn’t have the same security flaws as a safety laggard like Facebook.

Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn’t hand over at all.

Facebook and Twitter, after flashy high-profile CISO hires and lots of PR about privacy, both have sunken to terrible reputations. They rank towards the same levels as Wells Fargo in terms of customer confidence.

Facebook has experienced a tumultuous time due to privacy concerns and issues regarding election interference, ranked 94th. Wells Fargo ranked 96th. The Trump Organization ranked 98th, considered a “very poor” reputation.

The Drum says even the advertising industry is calling out Twitter for immorality and incompetence:

Neville Doyle, chief strategy officer at Town Square, suggested it was “enormously improbable” that Twitter ‘inadvertently’ improved its ad product with the sensitive data, and blasted the tech giant for being either “either immoral or incompetent”. Either way, he said, it was playing “fast and loose with users’ privacy”. Respected ad-tech and cybersecurity expert Dr Augustine Fou, who was previously chief digital officer at media agency Omnicom’s healthcare division, also branded Twitter’s announcement as “total chickenshit”. Last July, the Federal Trade Commission (FTC) fined Facebook $5bn for improperly handling user data, the largest fine ever imposed on company for violating consumers’ privacy.

The technology fixes ahead are more straightforward than you might imagine, as well as the management fixes.

In brief, you can trust a cloud provider when you can verify in detail a specific set of data boundaries and controls are in place, with transparency around staffing authorizations and experience related to delivering services. Over the years I’ve led many engineering teams to build exactly this, so I’m speaking from experience of what’s possible. I’ve stood in customer executive meetings to detail how controls work and why the system was designed to mitigate cloud insider threats, including executives at the highest levels.

You should be especially concerned if management lacks an open and public resume of prior steps taken over years to serve the privacy needs of others, let alone management that lacks the ability to deconstruct how their control architecture was built from the start to serve your best interests.

What has been hard, especially through the years of Amazon’s “predator bully” subscription model being worshiped by sales teams, is keeping safety oriented around helping others. Tech cultures in America tend to cultivate “leaders” that think of innovation as separation; having no way to relate to the people they are serving.

The tone now seems to be changing as disclosures are increasing and we’re seeing exposure of the wrong things done by people who wanted to serve others while being unable to relate to them. Hoarding other people’s assets for self-gain in a thinly-veiled spin to be their “service provider” should never have been the meaning of cloud.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.