So far, we have been talking about the security issues and threats of moving to the Cloud, and we’ll come back to talk about the impact of the Cloud on additional security threats in future blogs. However, this time in keeping with the festive season, let’s talk about some of the positive facts and opportunities Cloud Computing brings in the realm of security.
There are really no new security issues raised by moving to the Cloud. You have the same compliance, regulatory, and policy issues as you have in your own IT environment. These risks may be more complicated because of the introduction of additional partners and other unknowns, but they are the same risks.
For example, take a typical “collaboration” policy that involves someone creating a document, and then emailing it to a bunch of contributors, editors, and approvers, followed by a seemingly endless succession of versions being emailed amongst the group until someone declares victory, or exhaustion. If this document is about a significant new product, you will want to insure that none of these versions escape to a competitor, or even, if you’re a public company, an investor. You trust every one of the people who are working on it. But where are all the copies? They are on a lot of different individual hard drives, thumb drives, email archives, …. Can you secure them all? What if you have to produce these documents because of a court discovery order? How do you validate that your data retention policy is being applied by all of these individuals?
Consider the Cloud alternative using something like Microsoft Windows Live, Google Apps, or any of a number of other Cloud-based collaborative offerings. The document, in all of its different versions, is in one place. You have added a layer of security complexity because of concerns that the Cloud environment could be compromised (as has already happened) and others could see your documents. There are still concerns about where the document is actually stored, backed up, potentially archived, and who within the company you’re contracting with actually could see your document. Don’t forget they may be contracting out network or storage support to some other company on some other continent. But it is the same set of problems, just a different environment to deal with them.
In many cases, the significant reduction in the number of copies floating around and the centralized location of those copies can make the Cloud-based solution more secure. When coupled with the very significant improvement in productivity that Cloud-based collaboration provides, it often becomes the obvious choice. You still must, of course, choose a Cloud Service Provider and the right SLAs (Service Level Agreements) to match your security requirements.
Thus it is always important to compare security issues in the Cloud with the alternatives. Don’t just look at the security issues of the Cloud, look at how you are solving them today.
One important aspect: if you aren’t concerned about a particular security attribute today, don’t be concerned about in the Cloud. If you have data that does not contain
- Compliance or regulatory protected information
- Any of your own intellectual property or confidential information
- Information you must protect because of non-disclosure agreements with partners
don’t spend a lot of time figuring out how to protect it, and don’t spend a lot of money on unnecessary security measures.
One of the key reasons for the significant cost savings opportunities of the Cloud is the Cloud Service Providers economy of scale. They can build state-of-the-art physically secure, physically separated data centers with backup power and alternate network connections at a fraction of the total cost it would be for each of their customers to do the same. They can staff it with vetted, competent staff and provide each of their customers better support then most companies can afford on their own. For example, just by the nature of how they run, most Cloud Services Providers can offer opportunities to improve your capabilities in:
- Disaster recovery and business continuance
- Higher uptime due to multiple network connections, redundant power, and very aggressive network edge protection against malware and denial of service attacks
- Document management
- Integration of social media
- Geographic expansion
This economy of scale also applies to security. For example, most Cloud Service Providers
- Aggressively keep their malware detection and protection software up-to-date and constantly monitor that it is functioning.
- Aggressively keep software up-to-date with the latest security patches for Platform as a Service and Software as a Service engagements thus minimizing the size of an opportunistic attack window.
- Have trained teams to provide immediate, effective and efficient response to security incidents at any time.
- Can afford to hire security specialists with expertise in preventing and dealing with specific security threats. (Most companies can only afford a few security generalists who can take time to understand and deal with a threat they haven’t seen before.)
- Often provide standardized interfaces to their managed security services, allowing you to continue any custom security monitoring or intervention processes.
- Can provide faster and less disruptive evidence gathering when there is a suspected security breach. Through the ability to clone virtual servers and storage on-demand, you can make an image of a live virtual server or just some specific applications along with any associated storage, and do forensic analysis and test fixes with minimal impact to your operational system. Since you can create multiple copies of storage, you can perform parallel analyses to reduce investigation time. Some Cloud Service Providers may offer help with that forensic analysis.
- Are motivated to have rigorous internal audit and risk assessment procedures to preserve their own reputation.
Nobody notices a clean house, but they do notice dust on the furniture. Nobody notices your business is secure, but they do pay attention when you prove it isn’t. A security breach can impact your reputation, your revenue, and even threaten the existence of your business. Use the Cloud where appropriate to reduce those risks.
The last word:
Three things to remember about security in the Cloud:
1. Compare potential Cloud solutions with alternatives, including what you are currently doing.
2. Don’t spend time and money securing data beyond what is required.
3. Look to take advantages of some new opportunities the Cloud Service Providers can give you for reasonable cost because of their economy of scale.
I wish you and your family a joyous and festive holiday season, and best wishes for health, happiness, and, as a distance third in priority, wealth in 2011.
Keep your sense of humor.