At a dinner party recently, I was asked “does information want to be free?” This question is based on information that exists within the cloud today or tomorrow: Data in the Cloud. It is an interesting question with a fairly ready answer. Information is Power, it is people not information that controls information. Granted we have a massive abundance of information within the cloud today, is it trying to be free, or are people trying to make it free to everyone? In addition, is all this information even true or accurate?
My thoughts are that information does not want to be free as information is information, but people control information and some people control that information badly at best. Think about the information that is now available at the click of a button. The first question we have to ask is that information accurate. Wikipedia, for example, often contains inaccurate or downright wrong information. Yet people take what they find on the internet as gospel. Now let us look at the amount of personal information that is available on the internet.
Data in the Cloud
A quick search would show the following information for just about anyone published as part of open records, mistakes, or ourselves via tools like Twitter, LinkedIn, FourSquare, Facebook, etc:
- Current and past addresses
- Current and past phone numbers
- Current and past marital status
- Current and post gender
- Prices for houses which you currently own and perhaps even monthly payments
- Where you have been on vacation and as such when your home is empty of people
- Family member names
- Pictures of children
- Schools and sports your children attend
- Mother’s maiden name
- What you had for breakfast that morning
- Your current location
The list is pretty long and awesome. As people, we may want this data in the cloud to share with other family members and select friends but what this ends up being is a mine of data that can be used for marketing purposes as well as by the bad guys. There is no way to stop it, unless you purposely put out false information, which comes back to the first comment, is any of this accurate.
I would say it is accurate enough that the data in the cloud has been mined by criminals and marketers for different purposes we would hope. Even so, this is an immense amount of personal data that is freely available. Removing it is almost impossible. So given that we as people propagate this data into the cloud, how can we be good corporate citizens and not propagate corporate data into the cloud? We have a pretty bad habit and track record as individuals (okay not all individuals) which will impact how we think about corporate data. Does placing data in Dropbox, Amazon, etc. pose a security risk?
Yes, this is a security risk and one that is very hard to fix as there is no patch for people, we can only put into play security measures that are seen by many as overly draconian. We touched on this conversation on the latest Virtualization Security Podcast, where we tried to answer the question I posed on twitter:
Does it make a difference if we discuss public vs private cloud when we always use hybrid clouds in the end?
The short answer is, that as security folks, we need to disregard location of data and secure all data as if it was data in the cloud, but the bigger question is how to control what data gets placed within the cloud. In answer to the question posed to me at a dinner party. Information does not want to be free, but people want it to be free. Even so information is power and data in the cloud gives power to those who know how to mine it.