Security is always a major concern when discussing public cloud services. CIOs and often senior management as well feel safer keeping control over vital company data rather than trusting it to a third party out somewhere on the Internet. You know where it is physically and what is happening to it. And it just feels safe. Large enterprise CIOs use security concerns as an argument against using the public cloud.
But is your data really safer at home? Few companies have the IT security budget to build and maintain anything close to an ideal security environment, and the tools to secure an internal virtualized environment are not yet available. And security is an increasingly complex area with an arms race going on between increasingly sophisticated bad guys and your security staff. Even highly secure government and private industry sites have been hacked. Top security experts are in short supply, and many companies cannot afford them. SMBs in particular often have to rely on generalists who do not have the depth of knowledge in IT security to match the international cracker community. And many large enterprises cannot even keep their software patches up to date, a clear security issue that does not require high technical skill to see or remedy.
And just because no one is aware of any successful penetrations of your data does not mean your security is adequate. One of the most common comments I hear from security experts is, “We have clients who weren't even aware that they had been penetrated.”
Security is a multifaceted subject including protection against penetration, malware, and accidental data corruption as well as data backup, recovery, and DR. The first, protecting sensitive systems against penetration and theft, is one of the most worrisome, and it has two distinct sets of challenges. One is preventing remote penetration of the corporate firewalls and sensitive internal systems. Today even highly secure systems have proven not secure enough to stop highly sophisticated crackers, sometimes working for foreign governments. Your data may feel safer at home, but if your data center is connected to the Internet, then your exposure is basically the same as the cloud service providers'. But while IT security is a side issue to your company, it is a core competency for the service provider, commanding the attention of its senior management and major investment. Unless your company gives the issue that level of attention and investment, the service provider is probably more secure.
The other major aspect of penetration is physical theft of a laptop that contains sensitive business data, often in violation of corporate security procedures. Most of the embarrassingly public disclosures of compromised customer data have involved lost or stolen laptops. But CIOs often cannot tell senior management that they cannot download portions of the company's sensitive databases to work on overnight or on a business trip. A third-party service provider can prevent any downloads and require all data to be accessed through a VPN and simply displayed on, not downloaded to, user devices.
Malware of various kinds remains a major risk whether your data is maintained in-house or at a service provider's site. But the provider can implement software that checks the security status of every end-user device that tries to access your services and blocks those that do not meet required security levels including up-to-date, active anti-malware, even if it is the boss's laptop. And if something does get past their defenses, they should be well equipped and staffed to minimize the damage and eliminate the problem.
Data backup and disaster recovery is a major issue for organizations of all sizes. Again, this is a basic competency for cloud services, and they need to have clear, tested systems and procedures for rapid recovery from disasters ranging from a disk failure to the loss of a data center. The larger providers operate multiple data centers worldwide (and some SaaS vendors run their services on those large IaaS vendors). This gives them the advantage of maintaining your data and software on multiple sites, allowing them to switch between sites if service to one data center is interrupted by a technical problem, local or regional disaster, a denial-of-service attack on a site, or just high demand that slows service. This is an advantage only enjoyed internally by large multinational corporations.
Action Item: Obviously not all services are equal, and prudence dictates due diligence on any cloud service your company considers using. But given the number of SMBs that go out of business each year after a fire in their office destroys the only up-to-date copy of their core business data, and the number of large enterprises that are years behind on installing security patches on their software, you should not just presume that your data is more secure at home. And CIOs who argue against using cloud services mainly for security reasons should consider their personal position if their systems are penetrated. Do you really want to bet your career on the security of your data center?