AWS
Amazon, quietly fixed a significant cryptographic vulnerability in their request signing code, seven and a half months after the discovery. This type of behaviour is very typical of all software vendors. Of course this is nothing new. I would suggest the problem is going to become more critical in the next few years. More and more companies are offering services in a ‘cloud computing’ form and the customer base is increasing to include end users not just other businesses. Social networks, online backup services, online crm services and the list goes on. Everyone using these services is at the mercy of the vendors to fix the problem — there are many more people show concern and complain and the number is increasing.
This blog is a perfect example. It is currently located on WordPress.com. Great service, but the database, interface, and software are not under my control. I do have the option to download, setup and run the software myself — although I have the resources and technical capabilities to do this easily, I do not have the time, so I assume the risk (which is minimal given the type of data) and use a third party service. Unfortunately, many people do not have the technical expertise and are forced to use an external service, completely at mercy of the company offering the service.
I have done a lot of consulting for law firms over the years and this is slowly becoming a bigger issue for them. Law firms, medical offices, financial institutions, and any other business have personal and private data from their clients that needs to remain confidential and in their control. For example, what happens if you are a law firm that chooses to store their client data offsite using a third party company that in turn uses cloud computing services which you may or may not be aware of. There are many good reasons to do this such as cost, decrease in requirement for I.T. infrastructure, decrease need to hire staff or pay consultants to keep software and systems up-to-date. Any technical issues are the responsibility of the hired company, not the firm. Now if the cloud computing company has a security vulnerability that takes them time to fix and during that time someone uses that vulerability to extract the law firms data who is to blame? The law firm for choosing to not keep control of their data, the company that the law firm purchased services from, or the third party cloud computing company? David Canton wrote about cloud computing concerns this fall.
It will be interesting to see how government and the legal community handles this in the next few years. I am just waiting for a client to sue a law firm, medial office or some other company as their data somehow was made public. The best situation from a security perspective will be if there is a breech of data that is involved in an ongoing legal proceeding.
Pingback: Cost of cloud computing « Kaizen
Pingback: Centralization of data and privacy « Kaizen