This month Home Depot revealed that millions of customers’ credit card details were stolen and published on the Internet. Following the breach last year at Target which saw the credit card details of 40 million customers (and personal information of 70 million) being stolen, and a number of other highly publicized cyber leakages such as the recent celebrity photos apparently hacked from iCloud, retailers have become much more circumspect about using the Cloud to store Customer Data. The Home Depot admission only heightens such concerns.
Is this concern valid? Should retailers treat the cloud with caution, and maintain closer control over their customers’ data? Or are these stories irrelevant to the real issues?
There are two aspects to this question. What is the actual technical risk, and what is the “reputational” risk?
Technical Risk.
What is the Cloud? A typical Cloud service, such as Amazon Web Services or Microsoft Azure, consists of a set of servers connected to the Internet but protected by firewall software to restrict and control access. In essence, this is no different from the data center of any modern retailer. Data Centers today are all connected to the Internet, and the devices and software that protect a company’ data in their own data center are typically the same devices and software that protect data in a Cloud service. In a very real sense, if you store your Customer Data in your own internet-connected data center, then you already have your data in “the Cloud”.
The leakage of data from Target came from their own systems within their own data center. Hackers installed malware onto the Target systems to collect the data and send it out through the Internet. The same technique is also reported to have resulted in the theft of credit card details from Home Depot. The Cloud was not a factor in these, or in fact the vast majority of other large scale data breaches.
Where data has been hacked from Cloud services, such as the recent celebrity photos, the breach is via the user’s personal security on their Cloud service. All the evidence is that these hacks were not general breaches of the Cloud service, but were targeted attacks on username, passwords and security questions of specific users. While this example is a warning to consumers about keeping personal data on public cloud services such as iCloud, the example does not represent a risk to customer data stored by a Retailer on a corporate Cloud service.
In my view, a company puts its data at no additional technical risk by placing it in the Cloud, as long as they apply the same techniques to protect that data that they would in their own data center.
Reputational Risk
The second aspect of storing data in the cloud is the Reputational Risk. If all other things are equal, do customers perceive a company more poorly if data is taken from a third party Cloud service than if it was taken from the company’s own internal data center?
The theory here is that customers will perceive a company more poorly if the data was stolen from a Cloud service, on the ground that the company should not have placed the data “out there” where it is at risk. This is a valid theory, as the typical customer would not understand the nuances of the technical discussion above, so may well have the perception that the company acted irresponsibly placing data in the Cloud.
I would argue that by the same theory, the typical customer will not distinguish at all between breaches of a company’s own data center and breaches of a third party cloud service. Either way, the perception of the Customer is that the company has not taken proper care of their data and as a result the customer has suffered damages.
So should a Retailer use the Cloud?
Security of data and risk of reputation should not be used by retailers as reasons not to use the Cloud. This is not to say that retailers should always use the cloud – simply that the decision should be based on other factors: cost, speed to market for new services, ability to manage “peaky” workloads, etc. In many instances these factors will still not provide justification for a Cloud service. But where the Cloud service does make sense, Retailers should not hesitate.
Of course, when storing data in the Cloud the Retailer should still use the same security techniques (encryption, firewalls, tokenization) they would for any data stored within their own data center.