The talk at ILTA this year was not so much about giving discovery from the cloud but about a more fundamental question – should we be putting data in the cloud at all? The standout session on this discussed a cyber attack on Saudi Aramco in which data was lost from 30,000 computers and servers in one day around the world.
Would the data have been safer in the cloud? Conventional wisdom (by which I mean the instinctive feel for many businesses and individuals) is against doing that, with the NSA and Chinese hackers seen as the primary source of risk. Against that, it is observed that the top cloud providers invest sums in security beyond the reach of most companies, building defences which few businesses can aspire to. There are no answers here, but the thinking is evolving beyond the unsubstantiated assertions of gut instinct.
Since ILTA, we have seen news of the wholesale theft of celebrity data. The focus has been on what the newspapers like to call “nude selfies”, that being the stuff of headlines. If I were the celebrity, I would be more bothered about some of the other data which will have been swept up at the same time – the contact and calendar information, financial details and, not least, the GPS information embedded in many of those photographs which show where they were taken.
Oh – you didn’t know that? Well here’s a picture I took of the St Pancras Hotel on my iPhone with its metadata:
When was that taken?
And where was it (just in case that is not clear from the photograph itself)?
I put it to you, Ms Celeb, that at 07.44 on 23 July, you were outside the main door of the St Pancras Hotel. In your witness statement, you said that you were romping with three footballers in Croydon on that morning….
That example illustrates that this not not just a security point; it is also an eDiscovery point. There’s evidence in them thar iPhones.
If you do not care very much what happens to so-called celebrities, you might care very much about the industrial secrets, IP and the details of who has been meeting whom which the bad actors may obtain. That very precise information about dates and places may prove (or undermine) evidence about an alleged meeting between a departing sales director and a competitor.
So here is a problem which scales up and down and which is of relevance to everyone at ILTA, whether they are responsible for 30,000 computers or worried about the incautious and long-deleted (ho, ho) picture taken after the office party. Jason Plant, in one of his excellent summaries of ILTA, said:
Who should ask a question during the end questions but the head of legal IT for Saudi Aramco!
How many in that audience were asking themselves questions rather closer to home (or perhaps “safely” away from home)?
Should it put corporations off using the cloud? It is certainly a factor to set against the cost savings and the other benefits of cloud computing; as with the celebrities, some user awareness training and appropriate policies might be a better investment.