Q&A: 'Future Crimes' Author On How To Keep Customer Data Private In The Public Cloud

Data Privacy In A Public World

In his best-selling book "Future Crimes," Marc Goodman digs into the opportunities presented by connected technologies, but also the dangers for the vast amount of data they create, in which many users are voluntarily giving away their rights to privacy. For businesses and their solution provider partners, this is a key concern as that data involved critical business data, intellectual property, or even set the business up for an attack.

In an interview with CRN, Goodman delves into what his research has found around data privacy, particularly in the public cloud, and if solution providers should be concerned about moving their customers' data off-premise. Here's what partners need to know to keep their customer data safe in the cloud.

For more from Goodman, see him speak live at this year's NexGen Cloud Conference & Expo, hosted by CRN parent The Channel Company.

The cloud providers say they are pretty hands off when it comes to business user data. Is that what your research has found?

I would say it depends tremendously by company and whether or not you're using the free version of the product or the paid version of the product…For example, if you're using Google for Work, it's very clear that you own the data and Google has no right to it and to the intellectual property, but in the free version of that, for example Google Drive being a cloud service and Gmail being a cloud service, it is much less clear. In fact, they seem to assert a lot of rights that we're advised to learn about. The same might be true for Dropbox, the paid version versus the free version.

You have to review those Terms of Service. The length of Terms of Service has been increasing massively over the years…If somebody is trying to do something nice for you, it shouldn't take 10,000 words to do it. If someone offered you a free ice cream cone, that's pretty straightforward. We all know what that means. If someone needs to tell you 10,000 words in order to give you a free ice cream cone, then the ice cream cone is probably not free.

Should a business be concerned about the privacy of their data in the cloud?

Yes – they should be concerned for a bunch of different reasons. No. 1, as I'm sure you and your readers are questioning, where is the cloud? Where is that server? Whether that server in Cambridge, Mass. or Beijing, China actually makes a pretty big difference…For example, if your cloud provider happens to have your data stored in a server in France…that would mean you're subject to French law. A lot of U.S. companies, the fact that they have cloud providers, whether it be AWS or Azure or Dropbox, it may subject their companies to European law without them knowing it. That's one challenge…The other question is, who is your cloud provider? Who has access to your data? Can any employee pull it up? With some of the smaller cloud providers or web host companies, it’s not unfeasible for any employee at that company to be able to read that data. You should be thinking long and hard about that. The larger, professional companies say they will only look at your data for system maintenance.

How should a business go about figuring out these terms in a way clients are satisfied with?

It's not just a way that your satisfied with, but also that is required by law or regulation. For example, if you're a small doctor's office, you can't just pick any cloud provider. They have to be HIPAA compliant if they are going to be storing patient or medical information. If you're a financial provider it might be governed by the SEC, as an example. That's one issue.

The other thing to keep in mind is that there are companies who are using the cloud that know it and there are companies that are using the cloud and don't know it…Now, even though you're using Box or AWS, great companies with great Terms of Service, now your employees have taken your confidential quarterly reports, your customer leads, the IP of the product you're about to bring to market and stored it in a cloud provider who, by your employees storing it, have granted all kinds of rights and access to that cloud provider. It's not like the cloud is one clearly defined thing. It's amorphous and it's global and different pieces of it are governed by different bits of law and Terms of Services.

Is that divide between free and paid-for services where you see security issues and privacy issues intersecting?

That's one thing. It also comes down to policy, as well. I would mention that most small and medium companies absolutely have no policies against their employees sending things to Gmail, storing things in Google Drive, storing things in Dropbox…Lots of small and medium companies, startups in particular, are turning towards these "free" services because they're affordable. Of course, they're free for a reason…If you're not paying for it, you're not the customer, you're the product. Businesses large and small need to look at the so-called free services their using and the Terms of Service. It's all about your company policy. Even before policy, you need an awareness of what you're doing and what services you're using and what services your employees are using. Then start looking at policies and specific tools out there…I have read and agreed to the Terms of Service is the biggest lie on the Internet.

How is the privacy discussion different at a small company versus a large company?

If you're Coca Cola or American Airlines, you're going to have very sophisticated people, lawyers, compliance officials and all these folks going through to make sure that before [they] sign a contract with AWS that everybody is going through each and every single line on that contract. But, if you're a much smaller company, let's say you have 50 employees, you may not have the sophistication or maturity so you're likely to just accept whatever these big cloud providers provide…People don't even know the questions to ask their outsourced IT folks so people need to get much more sophisticated about that.

What's the balance between user education on policy and using technology to prevent data leakage?

I absolutely believe that training is key. Training is key at the board level, it is key at the C-suite level and it is key for all of your employees. Unfortunately, most companies invest way more money in technology than they do in training. Something like 98 percent of a company's security budget will go to corporate technologies; intrusion prevention systems, firewalls, antivirus and things like that, which have highly imperfect results…Whereas less than 2 percent of security spend goes on training. Yet, at the very same time, 95 percent of all data breaches can be traced back to employee or human error. We're spending 98 percent of our money on something that is not the problem…I am working to actually fix that. The way a lot of companies deal with the cybersecurity training out there is they make it boring and difficult and regulatory-based and not at all fun. What I'm doing is I'm in the process of creating exciting, enjoyable, awesome employee training that they want to take, not just so they can protect their companies but so they can protect themselves.

Do you see companies and customers paying attention more than in years past?

I think it is on the personal level. I don’t know if it is on the professional or corporate level. Even if it is driving awareness, the next question is: Is it driving behavioral change? It’s not all that clear. The number of people who say they are concerned about privacy in a post-Snowden world skyrocketed. Then, ask what are you doing differently? Are you using encryption? The numbers really didn’t change very much at all.

What are your predictions for where this all ends up? Will businesses keep pushing back on privacy concerns in the cloud?

I think it depends. Unfortunately, the public changes its mind pretty frequently. Everybody loves privacy and everybody hates terrorism, but in between there's a whole soup of what can happen. Everyone wants privacy after Snowden. Then we have a big terrorist attack, well then the FBI needs access to that data or people will die. I would say that it's going to be an ongoing debate...I would say it's going to grow more complex.

The other challenge is we are going to have clouds within clouds within clouds…In large corporations, part of their cloud will be in Salesforce, and some of it will be in SaaS [applications], and part of it will be with AWS and their corporate website might be hosted by GoDaddy. There are so many different clouds that keeping track of them all will prove increasingly difficult going forward.