“The cloud” is, in Internet jargon, the Internet, and in this context the jargon word means a collection of computers somewhere on the Internet that are tied together via Internet connections (they don’t have to be collocated; although, usually they are) and user reachable via the Internet. The purposes of this sort of collection of computers are to centralize computational efforts, to centralize data storage, and for companies to pay the third parties operating a cloud facility to use it to do the computations or data storage.
The major risk of offloading these tasks is security. The companies using an Internet-centered third-party cloud facility have to trust two things beyond their control: the security skills of the enterprise running the cloud facility for them and the Internet connection between the company and that cloud facility.
I wrote all that to write all this.
A huge data leak at Verizon Wireless exposed millions of customer records, but the company blamed an outside vendor for the breach. The FOX Business Network‘s Tracee Carrasco reported, “Names, addresses, phone numbers and, in some cases, the security pins of millions of Verizon customers publicly exposed online by one of the company’s vendors, Nice systems, based in Israel.”
According to reports from ZDNet.com, “An employee of Nice Systems put information into a storage cloud area and incorrectly set the storage to allow external access,” said Carrasco.
Whether that mistake was one-off, incompetence, or nefarious is neither here nor there. What matters is the existence of a mistake of that magnitude and that the process used and the person using it were not under the control of the company using that cloud facility.
Mistakes of this nature actually are quite rare, but the magnitude of a failure of this sort (estimates of the number of customers whose data were exposed range from 6 million to 14 million) is too huge to make such risks useful.
It’s simply foolhardy to use any cloud facility that is not under the sole control of the company using it. This kind of mistake still will occur, but at least the company would have full control over the equipment and IT personnel training and consequences, and it would be better positioned to take faster action to correct a mistake and mitigate its consequences.