The issue with SaaS and the Public Cloud

We are often asked:

Is it a bad idea to store corporate data on Dropbox?

Or: Should I store my organization’s data on consumer grade SaaS clouds like Dropbox, Google Drive or Microsoft Office 365?

As businesses have, on average, enterprise data floating around on more than 16 different SaaS cloud platforms, the compliance and security challenge of making sure all of those are well protected is huge. On top of that, most businesses don’t even have an overview of the SaaS platforms used in their organization, or of the data on them and associated risks.

This situation is risky – here’s an overview of some of the problems we consider the most relevant.

No control over access to your data

When you share a link to a public SaaS cloud via email, every person who gets their hands on the link can see the file you shared. If an email with a public link to one of those SaaS clouds is intercepted or forwarded you have no control over who can see the file. With Nextcloud’s File Access Control tool you can ensure that IP address ranges outside your company don’t get access to files if you don’t want them to be shared with third parties. The key here is: administrators are no longer in control. Instead, employees are. This is a huge legal liability, even if you fully trust that your employees would always respect your company policy and always act 100% responsible with regards to security (like picking strong passwords, among others).

Don’t know where your data is

Whether you care about your users’ privacy or just want to meet your compliance requirements it is essential that you know and can choose where your data is stored. This is extremely relevant in Europe, for example, where every company handling citizens’ personally identifiable data has to be GDPR compliant since May 2018. Fines for each incident can go up to 20 million or 4% of a company’s annual revenue.

Of course, this is not the only costly factor of a data breach, Wall Street does not take cyber security incidents kindly. Research shows an over 7% drop of share prices within a few days but also that after 2 years, companies that were hit by a significant data breach under perform the market by about 13%! A study by Veritas Technologies shows the wild growth in cloud services multiplies the cost of ransomware attacks. So consolidation is paramount.

When it comes to storing your data, choosing to trust a company based on its location is not enough. The location of the company’s servers matter too, and you need to be able to make your own choice in that matter as in some countries, governments can get access to all data stored on all the servers inside the country. For example a US-based company could locate its servers in China, where data centers are very cheap, and not tell you about it. Any government that can assert power over the company due to having subsidiaries in its country can enforce its policies – including access for its own companies for corporate espionage, for example.

In such cases you could be breaking compliance rules without even being aware of it and be fined. You can read more about Nextcloud and GDPR compliance here.

Keep also in mind that while, of course, these companies often monetize your data, they will tell you it is first anonimized. Sadly, time and again researchers show that 99.9% of that ‘anonymized’ data can easily be traced back to individuals. So ‘personally identifiable’ applies more often than your SaaS vendor will tell you. No, removing the name and address of a user from GPS data does not hide the fact that they spend every night at least 10 hours at the same location…

Even when SaaS vendors promise you GDPR compliance solutions from prominent vendors like Microsoft fail to follow the requirements and risk business data as a Data Protection Impact Assesment of Office 365 by the Dutch government showed again in mid 2020.


DPIA commisioned by the Dutch government shows a series of issues in Office 365

A single points of failure

Most companies use online storage services provided by a few large companies. That means that a lot of relevant data is concentrated on the servers of very few companies, which are called “single points of failure”. Of course, those servers are very attractive to malicious attackers. And if one of those companies get hacked, every person and company that relies on them will have to deal with the consequences.

Even if the security teams of such big companies are probably very competent they will have to deal with much more attacks as the content of their servers is so attractive. When you run your own infrastructure or pick a local cloud provider like you can do it with Nextcloud, you can remove your company’s data from such an attractive server and reduce the risk of being hacked: a powerful benefit of decentralizing data, the way the internet was designed.

And decentralization has more benefit. There are a lot of different servers out there with Nextcloud, each having their own protections and security setup around it. The German Federal Government’s Bundescloud is even 100% firewalled from the internet and any Nextcloud user can do that too – good luck doing that with public cloud solutions like Dropbox, Google Drive or MS Office 365! The city of Geneva uses a sophisticated network of reverse proxies to control exactly what Nextcloud capabilities external users can access – nothing gets through that has not been, explicitly, vetted by the team in advance.

Thus, a self-hosted solution can ultimately be made more secure than a publicly hosted one, simply because you can limit access to a range of known IP addresses in a firewall (including fully air-gapping it from the internet) and because every server will have other protections in place -> there is security power in diversity and federation.

You won’t know if you got hacked

Everything gets hacked, whether it is by malicious actors using vulnerabilities in a system or through very basic phishing emails. Despite all your efforts to choose the right online storage solution, you could still get hacked. In that case it is essential for you to be aware of the hack as quickly as possible, as you probably want to be able to take action immediately and limit potential damage.
screenshot

Big companies are not famous for warning their customers after a hack if they can avoid it. They will likely hope that the hack will stay unnoticed so they can keep their users’ trust, as it has happened in the past. The only way to make sure you are aware of any incursion on the server where you store your files is to have control over your own infrastructure and be able to monitor what happens with your data.

You won’t get (exactly) what you need

What is better than an online storage solution that works? An online storage solution that works exactly like you want it. We hear from countless customers about the unpredictability of public SaaS clouds. You come in the office on a Wednesday morning to find 100 new tickets waiting for you: your cloud vendor had decided to roll out an update which removes a button many of your users wanted and now you get to explain to them that there is nothing you can do to bring it back. Of course, no warning was given, but certainly you got an email now telling you how wonderful the new version is. Well, great, you’ll enjoy it after answering all the complains from your users…

Open Source software is known for being much more flexible than big services that try to adapt to everyone by offering a solution tailored for no one in particular. With Nextcloud you can personalize your online storage solution with applications, and if you don’t find the application you need, create your own. Have a look at our Nextcloud App Store! You will finally have a system that works exactly like you want it and be able to build an ideal workflow for your company. Just as important, YOU control when a new version is rolled out. You get a chance to test it and make sure it does what your users need.
camera icon

You won’t know what happens with your data

When you rely on proprietary software it is really hard for you to exactly know what it does with your files. You could be running spyware on your company’s computers or the software that handles your data could have back doors. Imagine having a locker (at the gym, for example) and being given your own key for it, but the gym owns a master key that can open all lockers. It’s the same with back doors: the company you trust with your data could have built a hidden way to access your private or confidential files in the software you use.

Of course, this is not always the case – there’s plenty of ways to offer services for free without selling users data. However it is the case that some companies, including public clouds, are in the business of selling data and you may want to avoid these services when it comes to your data.
meltdown and spectre icons
But as we analyzed before, typical software licenses are full of awful clauses, usually topped off with forced arbitrage so you won’t even have a chance to sue if the vendor misbehaves.

It might not even be their fault: the recent security issues with Spectre and Meltdown have shown that the separation of customer data on public compute clouds is deeply flawed, if not plain impossible.

While there it is really hard for you to check if proprietary software is spying on you or has back doors built in it or if the cloud server it runs on is really secure, with open source you have access to all the code and run it where you want. You may not be able to understand that code but with open source, it is possible for other people and companies to check that the code is free of back doors and alert its users if they find anything you should know.

Consequently, study after study shows the risks of an uncontrolled SaaS ‘strategy’

Public consumer clouds are risky. A McAfee survey showed that 25% of organizations using public cloud suffered data theft. A Code42 study concluded employers fail to stop employees from syncing company files to personal cloud accounts.A study by Veritas Technologies shows the wild growth in SaaS services multiplies the cost of ransomware attacks.

With all these risks, it is not illogical to see 70% of enterprises planning to move one or more SaaS applications back on-premises!

It is all about control

In the end, it is about control. With public SaaS, you don’t have much of that. Promises, certainly, certifications even. But no guarantees. Self-hosting (be it in your own data center or at a trusted, local hosting provider) continues to be the most elegant way of staying in perfect control over your business-critical data, and Nextcloud provides exactly what you need!