Many users of cloud data services are entirely unaware of inherent security risks, and security can only improve if customers pressure providers to deliver it, Frank Coggrave, VP of sales, EMEA & APAC at Guidance Software, has told Computing.
The company, which 18 months ago was responsible for assisting Sony in clearing up its widely-publicised and reputation-damaging PlayStation 3 server hack, sees a distinct lack in security provisions in many cloud providers' commercial offerings.
Coggrave believes security provision in cloud companies falls into two categories.
"Some of these providers are providing applications, so for example Salesforce is a cloud application," said Coggrave.
"A lot of these are quite well-structured and have a lot of inherent security in them. However, in a lot of the cloud services where you're just basically renting a bit of logical disk space, I think there's more questions you have to ask about the providence of those people."
Storage is now so cheap, especially when consolidated, argued Coggrave, that companies are building a business model on simply providing as much low-cost – or even free – storage as possible to as many customers as possible, with little thought for security.
"The likes of Evernote and Toodledo are all saying 'Hey, without paying for it, have 2GB of disk space'," said Coggrave. "And they're offering that at such a cheap rate because they have the economies of scale that the more customers they get, the cheaper discounts they get from the disk suppliers, the bigger disks they can get. Those things mean they want to drive people to put more data out there."
Coggrave's fear, therefore, is that customers who lean towards the cheaper end of cloud solutions, can leave themselves open to all kinds of legal problems.
"Customers are making cloud decisions for cost-saving reasons, which is very relevant due to current financial constraints," he said.
"But what they have to ask is, ‘Am I thinking of the ramifications of that decision when something goes wrong? What happens when I have to do an investigation that includes that cloud service? Do I have the legal capability of investigating the cloud service provider's machines as well as my own machines? Who owns that data when it goes on the cloud?' We're starting to see these problems coming about."