Data In The Sky

May 1, 2011       Steve Backman      

The recent acknowledgement by database giant Epsilon that information regarding millions of its clients’ customers had been breached is an eye-opener to anyone who trusts someone else with their data. And these days, the concept of cloud computing, or being able to access data from anywhere at any time, is being talked about everywhere.

It’s unclear whether any nonprofits were affected by the breach. Epsilon, the online, email marketing division of Dallas-based Alliance Data Systems (ADS), issued this statement: An incident was detected “where a subset of clients’ customer data were exposed by an unauthorized entry into its email system.” The information obtained was limited to email addresses and customer names only, according to Epsilon. “A rigorous assessment determined that no other personal, identifiable information associated with those names was at risk. A full investigation is underway.”

Several large corporations — including Best Buy, TiVo, and Walgreen, Kroger and JP Morgan Chase — alerted customers to the breach but whether or not some nonprofits’ data were breached remains unclear. “As we conduct a thorough investigation and cooperate with authorities, we are unable to comment any further,” said Jessica Simon, an Epsilon spokesperson, unable to confirm whether any impacted clients were nonprofits. The San Diego Zoo, an Epsilon client, told The NonProfit Times that the organizations had been contacted by Epsilon and that the organization’s data had not been breached.

Here’s how cloud environments work. Systems increasingly popular with nonprofits such as Amazon S3, Salesforce, and Microsoft Azure all enable centralized treatment of data. Every week there are new threats to computer systems. These threats could potentially affect cloud systems, but the difference is, it is the cloud vendor’s job to make the patches, and when they do, they do it in one play for all customers. Everywhere else you have to have some concern when patches will be applied, who will do it, and whether it will affect your customizations. Cloud vendors focus on pre-announced major upgrade cycles annually and roll them out in organized fashion, while making security patches regularly.

A different security issue concerns how much you can trust a cloud vendor to maintain the confidentiality and privacy of data. This is a consideration with any software used these days. We live in an era of WikiLeaks, apparent semi-official Chinese theft of Google and Adobe data, Israeli attacks on Iranian nuclear power system networks, and newly intrusive data mining by U.S. authorities.

Yes, you do have to pick whom you can trust. An organization that was counseling undocumented immigrants, pregnant teens or anything else confidential needs to consider what their network provider, hosting company or cloud service would do in the event of a government warrant or determined attack by a political or organizational opponent.

In a cloud environment, you have to select vendors you can trust based on their size, history with privacy incidents, and leadership and board commitments. Given that we expect more of our desktop or network server software to check for security updates regularly, to be fair, we need to make the same determination for all software, not just cloud systems.

Along with physical security of a local server are issues of data security. Data security is multi-layered and multifaceted. In Massachusetts, for example, the state enacted laws to protect personally identifiable information. This changes the security model considerably because organizations, including nonprofits, now need to proactively take responsibility for protecting against internal inappropriate data access.

Sensitive data now needs to be encrypted in the database and users granted specific permission to access that data. If your organization must provide a security compliance audit, some say that public clouds with their proprietary technology might not pass scrutiny because they don’t reveal the internal workings. At least for now, this is a major rationale in the corporate world for “private cloud” environments, where you get some of the benefits of hosted cloud infrastructure, yet take responsibility for everything you have up there.

On the other hand, organizations with their own local servers might lag behind in documenting and keeping up to date a security compliance plan for their network and server infrastructure. Below private clouds and networked systems lies the security of individual computers and now mobile devices. Here the security picture is even bleaker, with inadequate protection and frequent vulnerabilities. When someone says, they will install their accounting system or other critical data on just one computer and keep it off the network, to be safe, you can ask, how much effort are they putting into back-up, anti-virus, hardware maintenance and all the rest for that one computer? How much does a systems administrator at that organization monitor the complete set-up of that confidential computer? NPT Steve Backman is president of Database Designs Associates in Boston. His email is