Not open for further replies.


Level 12
How Private Is Your Public Cloud?
Stacking Up Google, Microsoft And AWS Data Privacy.


Terms Of Service...

The issue of privacy plays out primarily in the privacy policies and Terms of Service agreements customers have with cloud providers, said Marc Goodman, global security adviser, futurist and author of "Future Crimes." Those Terms of Service vary greatly from provider to provider, he said, particularly if a business is using a free service versus a paid version.

Paid versions of cloud solutions by Google, Microsoft, Amazon Web Services and other big companies tend to make it "very clear" that the user owns the data, not the cloud provider. That is not true for free cloud services, such as Google's Gmail and Google Drive, he said.

"If you're not paying for it, you're not the customer, you're the product," Goodman said. "Businesses large and small need to look at the so-called free services they're using and the Terms of Service. … ‘I have read and agreed to the Terms of Service' is the biggest lie on the internet," Goodman said.

For example, in Google's Data Processing Amendment, which outlines the Mountain View, Calif.-based company's policies for data stored through its Google Apps services, including Google For Work solutions sold by solution providers, the company specifies it will not use customer data for any purpose outside the instructions provided by the customer, including for advertising purposes.

Microsoft and Seattle-based Amazon Web Services have similar language in their own privacy policies and Terms of Service agreements, which were reviewed by CRN.

This contrasts starkly with Google's Privacy Policy for consumer Google Accounts, for example, in which the company says it collects information about services use, device-specific information and location information for a variety of reasons, including improving services, developing new ones, and offering users "more relevant search results and ads."

Does that mean businesses using paid services are scot-free when it comes public cloud privacy and security concerns? Not at all.

While a customer might have fully vetted its cloud provider, the reality is "there are companies who are using the cloud that know it, and there are companies who are using the cloud and don't know it," Goodman said.

A primary example of that is employees who circumnavigate company-sanctioned solutions and instead use personal—often free—cloud services that are easier to provision, said Goodman.

According to Gartner, 95 percent of cloud security failures will end up being the customer's fault by 2020. Many will fail to uphold their end of the shared responsibility model of cloud security, where the customer itself is responsible for securing the data and the cloud provider is responsible for securing the infrastructure.

"Your data could be stored in your employees' cloud without you even knowing it. … Even though you're using Box or AWS—great companies with great Terms of Service—now your employees have taken your confidential quarterly reports, your customer leads, the [intellectual property] of the product you're about to bring to market, and stored it in a cloud provider who, by your employees storing it, has been granted all kinds of rights and access," Goodman said.

For solution providers, this is a real-life concern. Cumulus Global's Falcon, for one, said he has seen countless examples of this with his own customers, including companies that lost data or realized after the fact that they were in breach of compliance regulations. For example, one client's employee was using a personal version of a file-sharing service. When the employee left the company, the customer then had no access to its corporate data, which the employee had stored on his personal cloud account, Falcon said.

To read the full (long) article please visit the link at the top of the page
Not open for further replies.