Do you have data stored in the cloud?
For many organisations, the answer is an emphatic “yes”. Adoption of cloud services is growing across a wide range of applications – desktop backup, email and collaboration, document management, customer relationship management, and so on. Such services are especially attractive to small and medium-sized organisations: they let you purchase just the amount of service that you need without making a large, upfront commitment to application licences, servers, etc. And you don’t need a skilled IT team to run and support those systems.
How does this work? A cloud service is essentially one that is provided from a pool of servers that can be accessed via the internet. Because this pool is shared across many users, it can be configured to provide a degree of flexibility, scalability and resilience that no single user could afford in their own right. The service provider manages the pool in order to deliver the agreed functionality and service levels to everyone.
That sounds great. So where’s the catch?
The dark lining to this silvery cloud is security. Because servers are shared across multiple users, there’s a risk that people will be able to access each other’s data. And because it’s accessible via the internet, there’s a risk that unauthorised people will be able to find their way into the system. Data in the cloud just feels a lot less safe than data on one of my own servers, locked away in a place that only my trusted staff can access. This concern about security is probably the biggest barrier to even faster adoption of the cloud.
How well founded is this concern? Well, those risks are real. The internet is a scary place, and getting scarier. But that’s only part of the picture. Security isn’t about absolutes. Your data is at risk wherever it is: in the cloud, in your datacentre, on someone’s laptop, on a USB key in their pocket. You need to think about relative risk: “is my data any less safe in the cloud than it is where it’s currently stored?”
When you ask this question, you may start to uncover some frightening things. For example:
- A lot of organisational data is stored in multiple places. The master version might be stored in an application that runs in the datacentre (or at least, in the server under the cupboard), but people download copies to their laptops. Or they send themselves copies via email. Or they cut CDs and put them in the post. The master may be secure, but the data isn’t.
- People adopt unsafe practices not because they’re ignoring security policies, but because these policies force them to fly under the radar. People need to work with data in ways that were never envisioned when the policies were written. They need to access customer records when they’re on the road. They need to download sales records in order to build reports in spreadsheets. To do their jobs, they need to bypass the policy. And because the security systems were built to support the policy, this puts them outside all the protection offered by those systems.
- Small and medium-sized organisations don’t have the expertise to secure their systems. Large companies can afford a dedicated security team. IT managers in small companies are generalists – they configure their systems, run backups, handle user queries, manage budgets, etc. If they’re lucky, they’re allowed some time to sleep. They don’t have the time to be security experts. The bad guys, on the other hand, have plenty of time to build their expertise.
- The odds are weighted against your internal team in other ways too. It’s not just about expertise – security is an asymmetric battle. You need to protect every aspect of your systems, while the attacker only needs to find a single chink in order to do significant damage. And those chinks are constantly changing. The bad guys can devote time to scanning for the latest vulnerabilities, but that’s hardly how you want to prioritise your time.
When you weigh up such factors, the cloud can start to look a lot more attractive. For many organisations, it may well be more secure than their current systems. If data is accessible from the cloud, for example, then people will no longer need to email it to themselves. If they can run spreadsheets in the cloud, then they no longer need to download data. And so on.
Most importantly, cloud vendors need to be able to demonstrate that they’re secure in order to sell their services. So hiring security specialists and building the best possible security systems is central to their business. They can’t afford not to invest in security.
The cloud is still scary. But other places may be even scarier.
About the Author
Graham Oakes helps people untangle complex technology, relationships, processes and governance. He can be contacted through www.grahamoakes.co.uk or at firstname.lastname@example.org. His book Project Reviews, Assurance and Governance is published by Gower.