After many discussions with different interlocutors, the number of questions about our addiction to cloud platforms has been growing. I became very interested in the subject, on aspects that I find key and important related to digital, software, hosting and data sovereignty. However, the more I progressed in my research and my understanding of the issues, the more new questions arose, which only showed me the complexity of the subject and its stakes…
A cloud platform is first of all a server infrastructure
Conceptually, it would be good to recall some key information about the principle of cloud platforms on which social networks (SN) are built. What I’m about to talk about is applicable to all the cloud platforms you use, regardless of their use.
A cloud platform is first of all an infrastructure of dematerialized servers in one or more Data Centers, which the platform operator may or may not own. On this first low-level layer, the software platform itself is built. This technical and software architecture leads to an increased complexity in the management and maintenance of these solutions, and therefore in the security aspects.
Let’s look at these security aspects that raise questions according to the architecture and the stakeholders:
- The editor who manages his infrastructure himself. The external security problems do not arise because only he has access to it. There are security issues related to its employees who work on the maintenance and management of the infrastructure. The only way to protect against misuse of data is contractually, with the limitations that this entails.
- The platform publisher can also use a service provider for the outsourcing of its infrastructure, which is hosted by this third party, but these servers are dedicated to the publisher. The management and technical maintenance of the physical servers on which the virtual servers are hosted are carried out by the service provider who has administrator access to these elements, enabling him to carry out maintenance operations. One can also imagine that these accesses allow him to commit an act of maliciousness (copy of servers, deletions of servers, etc…) The means of protecting oneself from it is here also contractual, always with the limits that represent this type of protection
- The editor uses a public cloud, the infrastructure underlying its platform is not necessarily dedicated, it implies a sharing of the infrastructure with third parties, there is a necessary partitioning which imposes that the editor does not have access to the lowest layers. Only the cloud provider has control of the infrastructure in terms of management, maintenance and security…
For each of the links, the ultimate protection is contractual with their employees having super administrator access. It is therefore obvious that the more you use service providers, the more you delegate the security aspects of your product to one or more third parties…
This means that these people, who have extended administrator access, have access to your data
Hosting is only the first step. Then we come to the software part, which proposes the functionalities and allows to store, share (or not), analyze your data. All these components, including your data, are under the administration of the platform teams. As for each classic computer application on your computer, there is an administrator profile, which is essential in order to perform maintenance, correct bugs (patching), or even to modify elements concerning you to which you no longer have access. This means that these people who have an extended administrator access, have access to your data. This includes your profile, so username and password… Some may object that this information is encrypted and that they therefore do not have access to your data in clear text, but one may wonder who has the encryption key, and if it is the service provider, one might as well say that he has access to all your data. Of course there is the legal “protection” linked to the employment contract of the said administrators…
These platforms that offer you the possibility to identify yourself through your SR accounts, have they taken into account all the security aspects?
As you can see, when you dig, many questions arise… But it does not stop there, it would be too simple… Faced with the hegemony of American Social Networks, a new way to create a profile or to connect to new platforms and this for whatever purpose has emerged: So use your #Facebook or #LinkedIn or #Google account as a way to sign up or connect more easily. It’s tempting, one click is enough. However, this poses a security problem because it is like asking a stranger to keep your house keys so you can go to one of your residences, with the guarantee that they will not go in your place… Moreover, you entrust all or most of your keys to the same provider. Doesn’t this make you wonder?
If we now refocus on American RS in particular, when you use your FB, Linkedin, Google etc. account to connect to another platform, it is giving them the keys to access a platform that is normally outside their scope.
I don’t know for sure, but do you think it’s wise to use this option even when it’s offered to you? Who can guarantee that the day the American state decides to look for lice in your head, it will not access in your place the applications you use and for which you have delegated the keys to an American actor who is therefore governed by American legislation… These applications or platforms to which you can connect, moreover, are not necessarily for private use, they can be for professional use (collaborative platform, etc…)
We can also wonder if the designers of these platforms that offer you to be able to identify yourself thanks to your SR accounts, have considered all the security aspects. Is making your life easier, without considering the security requirements, a game that is worth the candle? Moreover, if this platform claims to be sovereign, is it really so even if it offers a potential access door to American or Chinese digital platforms?
As you can see, when we are interested in digital sovereignty, we have to explore the multiple dimensions of the subject. At times, we have to question the need to implement functionalities that effectively simplify the life of users but can lead to security flaws, or even an effective loss of concrete sovereignty. Indeed, considering the extraterritorial laws like the American and probably the Chinese ones and the relationship of the digital giants with their respective governments, one can wonder if there will be any hesitation to go and retrieve data thanks to the fact that you have agreed to use your #Facebook or #google account to identify yourself on a so-called sovereign platform…
This vision is probably tinged with suspicion towards American and Chinese digital players
I don’t deny that this vision is probably tinged with a great deal of suspicion towards American and Chinese digital actors. Between the theoretical possibility of fraudulent use of your access and actually doing it, there is a step that many people would hesitate to take. For my part, I ask the question, so that people who are technically more knowledgeable than I am can remove this legitimate doubt in my eyes. Besides, knowing the propensity that our American “allies” have to use all possible weapons in order to maintain their hegemony in the digital and real world, it is a subject not to be neglected…
