Google Apps director of security told delegates at InfoSecurity Europe 2015 that despite having full trust in the cloud, he still keeps his most private information in a physical safe, inside a tightly-guarded bank.
But it’s not because he doesn’t trust the cloud, Eran Feigenbaum was quick to add.
“I still have some personal information in a safe deposit box in a bank, and it’s not because I don’t trust the cloud,” said Feigenbaum.
“It’s because I don’t want to access that information on a regular basis – if I do, it’s a pain in the butt.
“I need to go to the bank, show my ID, pull out the key, get the banker to pull out their key, walk to the safe, and sometimes there’s a queue.
“So I think through evaluating both options, the question is, ‘Is the data safer on a server sitting under my desk either at home or in the business I connect to, or the cloud provider? That’s a fair evaluation.”
Feigenbaum’s statement came in response to an audience member at the London-based conference accusing the discussion panel, made up of security experts from Box, Canon and the Cloud Security Alliance, as well as Feigenbaum, of being “evasive” around issues of international data privacy law.
“The question is not whether or not all my data is better in one place. If I have one piece of data, I can look after that better as a hard copy than you can ever look after it. And so far, most importantly, you’ve not talked about international law and state actors,” said the delegate.
“And also this mixing with what users can do in consumer systems with what companies can do is not fair – you’re muddying the waters – you’re being evasive, put more meat on it.”
Feigenbaum accused the delegate of not asking “a fair question” in terms of comparing cloud storage to physical storage, before making his point about safes, but Box chief trust officer Justin Somaini appeared to agree with the comparison, rooting for the cloud as a more secure solution than bricks and mortar.
“The two are comparable,” said Somaini.
“I think that [the cloud] would be more secure, because when we start talking about security versus privacy, privacy mostly is wrapped around confidentiality – who should access the piece of content and is it appropriate,” explained Somaini.
“Using the safe metaphor, you have an opportunity to have better security than that of a cloud provider, but if you look at a typical six-pin safe, you’re using the location of the content as a proxy for identity validation.
“There’s no login, there’s no alert, there’s no preventative factors, except being locked out after six attempts. So the basic factors we’ve embedded in IT security are not things you see in physical safes.”
Backend security, said Somaini, outclasses the physical security of a safe.
But addressing the delegate’s point on state actors, Cloud Security Alliance’s EMEA MD, Daniele Catteddu, reminded the audience that it may not even matter how information is secured if it’s desired by unauthorised persons.
“You’ll also have been reading the news of what’s been happening in Germany, right?” asked Catteddu.
“The German secret service was in alliance with Dutch Telecom to tap into the German system, so if we want to bring this discussion to state actors you’re entering a discussion where everyone will be fearful for the future without any feeling of protection.”
“[Even] if we believe there are still some rules that can apply, we’d have to be quite naïve to imagine that state actors wanting access to our data is going to become less.
“If we believe any piece of information has value, and if people want access to that value, be it legal or illegal, they will do it,” Catteddu concluded.