Almost daily I read about the latest notification of a new data breach. These data breaches span all types of companies ranging from the smallest of offices to the world’s largest organizations, while the number of affected individuals ranges from ten to tens of millions.
These breaches cost many companies multi-millions of dollars in fines and/or lawsuits while potentially damaging their reputations beyond repair. Making matters worse, it isn’t unusual to see a follow-on headline reporting that these records have shown up on nefarious sites offering the data to the highest bidder.
As the COO of a company handling not only our own sensitive information but also hosting our customers’ data, I often get asked whether the cloud is an appropriate place for that data when it seems the information in the cloud is easily within reach of anyone with malicious intent.
After deep reviews and extensive investment in cloud security standards and protocols, I believe that putting data in the cloud actually provides better security, enabling my company to effectively reduce risk while lowering our costs. To understand and to defend that statement, I’ll examine a few of the top concerns and threats to data in the cloud, including general acceptance, data availability, and business continuity/disaster recovery.
Opening up to the Internet
The cloud has traditionally been looked at as a risky location to put critical or sensitive data. The generally accepted location was within the innermost bowels of the corporation’s network, where the most trusted of individuals would protect that data. In the past, this has been a very effective and reasonably cost-effective solution. But today the internal network is required to be open to the Internet, allowing employees to be fully productive no matter where they happen to be or what device they happen to be on. This has led to new challenges.
A few companies can still justify keeping their network shut off from the Internet as they would suffer extreme monetary or reputational damage if they suffered a data breach. Others may have the ability to provide dedicated personnel and invest in multi-million dollar solutions to protect their network from the threats introduced by Bring Your Own Device (BYOD) requirements and the need for individuals to access data from anywhere.
These are the exceptions. Most companies don’t have these luxuries. Most of us are dealing with environments where IT budgets are constantly being examined for potential reductions, while our experts are moving to other positions within the company or to outside opportunities. All this against a background of changing data availability requirements, and where extreme IT flexibility is the norm.
More and more CIOs that I talk to are accepting that the cloud can be appropriately secured, as it can provide better segmentation of data when compared to their corporate network. In fact, the CIA—arguably the most security-obsessed organization in the world—trusts its apps and data to the cloud. The CIA has implemented “on-demand computing and analytic services to the intelligence community,” which just happens to be hosted on an Amazon Web Services private cloud. I believe there is no better barometer of the acceptance of cloud security.
Concerns around Internet connectivity often arise when discussing the cloud. However, I’ve found that traditional VPN solutions provide reasonably secure extensions of corporate networks into the cloud. A more interesting discussion arises when you have the requirement to expose your cloud implementation to the public Internet. Admittedly, this introduces a threat vector that must be considered, but this risk isn’t introduced by the cloud. It is no different than the same requirement to expose your corporate, general-purpose network to the Internet—which you probably already do.
Fortunately, best-in-class cloud providers implement advanced security frameworks with powerful safeguards. These companies are able to spread the cost of technology and staff across many customers as they establish and maintain security controls based upon the latest security standards. Unlike a corporate IT organization that must provide a general-purpose corporate network, these providers are able to focus on a purposefully built environment with very strict controls that often exceed the level of protection most companies are able to implement on their own.
Of course, internet exposure is only one part of cloud paranoia. Even if your data is locked up tighter than Fort Knox, what happens to your apps and data if there’s a catastrophic failure at your cloud provider’s datacenter? Many companies are legitimately concerned that if a cloud provider’s datacenter goes down, so will their business. Even just a small amount of downtime can result in lost productivity, revenue—and customers. And what about lost data? A company that irrevocably loses information about its customers, partner, financials, or intellectual property may not survive.
As it happens, top-tier cloud vendors are actually well prepared for the possibility of entire data centers going offline. They use what’s called a highly available architecture, which distributes multiple instances of apps and data to multiple, geographically separate data centers. This ensures that apps and data always remain available and are never lost.
The bottom line is that top-tier cloud providers can build far more extensive redundancy, scalability, reliability, and external protection than any individual company can.
The cloud is not only a lot more secure than you might think; it’s also more secure than most of today’s on-premise solutions. This combined with the many benefits you gain from moving your apps and data to the cloud (PDF) — lower costs, reduced IT resources, and keeping your systems up-to-date, to name just a few — mean that it’s time to put away your fears about cloud security and seriously consider how the cloud can help you grow your business.
Image credits: Security concept with padlocks © Maksim Kabakou – Fotolia; headshot by Infor.