Risk Assessments in Data Storage

I attended a guest lecture last year where Sarfaraz Rehman [CEO of Dawood Foundation] shared his views on the internet generation & the importance the place on “staying connected” at all times. The quote is paraphrased and does not represent his exact phrasing: “Life does not exist on the internet. It’s out here, in the real world. And some would venture to say that the more time you spend on the internet, the less life you have.” This should serve as a wake-up call to avid users and evangelists of cloud storage tools such as Dropbox or Evernote, the latter of which was recently hacked in an emassive coordinated attack which leaks sensitive information of its supposed 50 million plus users.

I’ve never understood how people thought storing every piece of data you have in one place was a good idea. That goes against investing advice like “Don’t put all your eggs in one basket” or graduate school picking advice like “Always have a safety school”. From an infrastructural perspective, its not of course in ‘one place’ but in multiple systems geographically distributed. As for risk- its better to only put genuinely sensitive information in systems that you know are well designed to encrypt the data with a key that only you have. It all comes down to the risk vs the value of the service. This is a common analysis when performing risk assessments required to comply with various security and industry standards (PCI, Sarbanes Oxley) etc.

Understanding those tradeoffs is akin to making decisions about whether to go swimming at a beach that might have currents, cross a busy street, or engage in any activity that has risks and rewards (lots of “adventure” sports come to mind). Hopefully younger people are developing the skills to make those decisions rationally and reasonably as they grow up- among the 30+ set, it’s not very common outside of those who work with the technology or are forced to do the analysis by their job function.