Feeling Insecure About Security
Earlier this month, as you've no doubt heard, a batch of private pictures of celebrities were circulated widely on the Internet, having been either leaked or stolen from a storage medium the celebrities considered private and trustworthy.
On the theory that one person's misfortune is another's teachable moment, the Internet has been flooded, not by the pictures, but by well-meaning explanations of how users can protect themselves from such privacy violations. Most of them give advice that is mostly good; it's certainly true that most people take far too few precautions with their most sensitive information. But some of it’s misleading, perhaps even betraying an ulterior motive and a hidden agenda.
While experts can agree on the vast majority of things you should do to be safe -- which I won't reiterate here -- sometimes their advice reflects unspoken assumptions or agendas. While there’s a great deal of consensus about how to protect data stored in a given manner, there’s much more debate about whether one type of storage is fundamentally more secure than another.
Consider the lowly flash drive. Some would tell you that the safest place to put your data is on such a drive. It's true that the lack of networking on a storage card makes it immune to network-based attacks, but instead it's vulnerable to physical ones -- those tiny drives are easy to steal, or to lose. Is your security better overall with the flash drive? It's not easy to say.
Similarly, in the recent disclosure of scandalous pictures, some have rushed to say that this shows the insecurity of the cloud. Leaving apart the fact that Apple ultimately concluded that the pictures were not stolen from their cloud service, there's a legitimate (albeit misplaced) question here: Is cloud storage less secure than other forms of large-scale storage?
Obviously it depends on what you look at. As I've said, USB vs cloud strikes me as too close to call on the personal side. But for business users, the right comparison is to on-premises systems. Many executives feel safer knowing that the data doesn't leave their site, where they believe they have complete control. However, while that control might be complete for a small number of businesses, the typical business is far from expert in matters of security, whereas for cloud providers it's a live-or-die issue. With very few exceptions, I think business data is more secure with a good cloud provider than with on overextended, undertrained IT team on premises.
So, does that mean the cloud is more secure than on-premise storage? Again, the answer isn't black and white. How do you know how good your cloud provider is? Do you trade off professional security in the cloud with perceived security in your organization? There's room for disagreement and nuance, for sure.
However, we should all beware of self-interested pundits who draw overly broad conclusions. Not only was the recent leak not a cloud leak after all, but even if it had been, we can't read too much into an isolated event, remembering that nothing is perfect. One security breach doesn't prove that the cloud is unsafe, any more than one accident with a change machine proves that change machines are a menace.
Life is dangerous. The only way to know how much a particular thing endangers us is to look at some longer-term statistics. An isolated event means nothing, but when someone uses such an event to broadly generalize, it can tell you a good deal about their own agenda.