Worth reading: This account by a fan of cloud storage who is newly wise to the dangers of storing proprietary data in the cloud.
But the author, a journalist named Dan Tynan, wasn’t sufficiently hardened to suit Habeas Hard Drive. After sharing how some of his work was lost when another Box.com customer was given inadvertent authority to delete his account, Tynan reveals that he still uses cloud storage for his family’s medical and financial records – and even names specific providers.
In other words, “Please rob me.”
Tynan is to be commended, though, for raising the red flag about cloud security. Habeas Hard Drive suggests the following lessons can be learned from Tynan’s story:
Lesson #1: Keep a log of “invitations” to file access
After a weeks-long investigation, Tynan learned that his wife, with whom he sometimes collaborates, had invited a public relations company to access files in the Box.com account she and Tynan share. Confusion occurred over the identity of the PR company’s external collaborators, and the Tynan account was deleted by someone he never met – an employee at the PR firm.
Habeas Hard Drive would suggest keeping an internal log any time an outside entity is invited to access files in a collaborative environment. A spreadsheet or a simple database entry can indicate the date, who was invited by whom, and the purpose for the access.
This might have shortened the time necessary to figure out what happened. It would have given Box.com support staff a place to start looking for events that could have triggered the deletion.
It would also allow the Tynans to start contacting people quickly, to find out what happened to their intellectual property.
Lesson #2 Don’t use free services for sensitive or confidential data
Just as we recommend ditching free or consumer grade webmail email in favor of secure, enterprise-level service, we also warn against free or low-cost, consumer-grade cloud service.
If you want to store confidential data or valuable intellectual property in the cloud, pay for secure service. Examples include services with added security features like Covisint, which uses two-factor authentication, and Accellion which encrypts data both while in transit, and as it sits on servers. Sources tell Habeas Hard Drive that Accellion will soon add two-factor authentication.
Lesson #3 Service providers should follow Box.com’s example
Tynan’s story includes Box.com’s response once the company learned that his account had been deleted by a complete stranger. Management did the following: 1- apologized; 2- took responsibility for the event; 3- changed company policies to prevent similar mishaps in the future; 4- forensically recovered Tynan’s files.
Granted, Tynan is a tech writer who has the power to damage the company in ways ordinary users can’t. But after many bad experiences trying to report security flaws to unresponsive companies. Habeas Hard Drive salutes Box.com’s response.
by Ira Victor @ira_victor , and Samantha Stone