Issues Inherent to the Centralized Cloud Architecture
Since cloud storage services all use the centralized server architecture, they all have the following issues and compromises that are inherent to the architecture itself.
Duplication, Increased Threat Surface, More Complicated Storage Structure
With all cloud types – public, EFSS, private and virtual private clouds – users duplicate a subset of their files to the centralized server cluster so that those files can be accessed over the internet. This creates duplication and version control issues. Since each server will typically have both a near-line and off-line backup and may be replicated in other geographies to provide better global access there will be multiple copes of each file stored. Each copy made increases the threat surface of the organization and creates a more complex storage structure. This inherently increases the risk posture of the organization.
Since many users and devices sync or store information on the centralized server cluster and because that server has limited storage, only a subset of an organizations overall data can be stored. That means that users will have to manage their allotment and often critical data will not be on that server and is unavailable. For example, an organization may have 1000 terabytes of overall data storage across all devices, users and locations. If they have 100 terabytes of cloud storage, then 900 terabytes of data are inaccessible at any given time due to the fact that not all storage has cloud functionality.
The constant syncing from all users and all their devices ties up multiple CPU cycles and bandwidth. It is very resource intensive requiring multiple servers, load balancers and facilities that all must be managed and secured.
The centralized server model – depending on the scale – requires an expensive data center – multiple servers, storage arrays and supporting equipment such as UPS, backup generators, cooling, etc. The data center must be maintained by trained technical staff and it must be secured against malware, hackers, fire, theft, natural disaster, outages and human error. This is all to support the accessibility of data that is essentially a duplication making it expensive.
Additional Issues Inherent to the Centralized Cloud Architecture Used by EFSS and Public Clouds
Not all EFSS products are created the same when it comes to security and that is the real problem. Some public cloud vendors like Microsoft and Google adopt very strong security practices that are equivalent or better than those found in corporate IT departments; some do not. However, even though some may be very secure and some not, none of them can protect the privacy and confidentiality of the information stored on their servers. From a privacy perspective, it is never a good idea to give your confidential files to someone else. That information can legally be secretly accessed and exfiltrated by the cloud provider, by law enforcement and in some cases by foreign powers.
Secret Exfiltration from Third Parties – The cloud provider is required by law to make sure that you are not using their platform for illegal activity. They must and do inspect your files for copyright infringement, child pornography, terrorism and money laundering for example. Even if you are not breaking any laws, increasingly some providers are even denying the use of their platform for moral activity or political positions they disagree with. In any case, they have the right to secretly inspect your files at their discretion for any reason they determine.
Secret Exfiltration from Law Enforcement – What about law enforcement trying to access your data? With EFSS and public cloud storage, you may not know that the provider was served a subpoena, warrant or security order. In fact, the provider may be prohibited by law from telling you. Although nearly every provider’s terms read differently, one thing remains the same. They all tell you explicitly they must and will comply with legal requirements from governments, security agencies and law enforcement (to secretly access your files) and are not responsible for any loss you experience.
Secret Exfiltration from Foreign Powers – With the passing of the Cloud Act, U.S. law enforcement can serve an SCA “warrant” to cloud providers where recipients such as Google, Amazon or Microsoft are obligated to turn over evidence wherever located – even if it is stored on a server located in another country. Since SCA warrants are served in secret directly to the cloud provider and your cloud provider is prohibited from informing you that they have received a warrant to hand over your data, you are depending on them to defend your privacy. If for whatever reason they fail to do so, your data will be exfiltated without your knowledge. The sole remedy is for the cloud provider to ask a court to quash or modify the warrant. To quash or modify the warrant all 3 of the following conditions must be met. (a) the target is not a U.S. person; AND (b) compliance would conflict with the law of the country where the data is stored; AND (c) the court conducts a “comity” analysis and concludes that, on balance, disclosure isn’t warranted. If the data requested in your cloud storage is for a U.S. person or if the target of the request is a non-U.S. person but your own country does not have any specific privacy law to protect that data, then you have no protection. Finally, even if the request is for data on a non-U.S. person and it violates the privacy laws of your local government but the U.S. based court determines that U.S. law enforcement really needs it, then your data will be exfiltrated.
Second the bill is reciprocal in nature as it would allow the Executive Branch to enter into “executive agreements” to allow qualified foreign governments with restrictions, to acquire data of their own citizens wherever located including if stored on servers located in the U.S., without regard to U.S. law or the U.S. constitution.
In short, under certain circumstances, foreign governments can access data stored in public cloud services regardless of where the data is physically located around the globe, potentially circumventing local regulations. And the European Commission isn’t sitting idly by. It is readying its own legislation called the E-Evidence Directive to enable EU member countries the same jurisdictional reach as the U.S.
Governance, Risk Management and Compliance (GRC)
With growing pressure to empower employees, associates, and customers with the latest mobile technologies and BYOD, governance, risk management and compliance (GRC) and who operates and controls the centralized server cluster is vital for an organization’s security strategy. The problem using the cloud and EFSS means your ‘latest technologies’ can quickly become a compliance headache because the actual compliance and management is outside of your control.