We live in a dynamic real-time world and we are pretty much always connected to the Internet. As a result, a lot of our personal and business information is not only moved over the Internet, it is stored in the cloud!
The ‘cloud’ defined
The cloud is a confusing and poorly understood concept for many of us. My simple definition – the cloud is mostly anywhere other than physically on your own PC, mobile device, work computer or network. Think Facebook, LinkedIn, Salesforce or any smartphone app – these are all systems that store (our) data in the cloud.
Perception is reality
Most people and businesses think about data security and privacy in the cloud in one of two ways. We’re either completely distrusting and suspicious or blindly accepting.
Have the PRISM revelations changed the way you view security and privacy online?
“If you want a picture of the future, imagine a boot stamping on a human face—for ever.”
― George Orwell, 1984
By contrast most of the generation under the age of 30 are completely oblivious to cloud security and privacy threats, and accept they’re just part of our modern always connected way of life.
So lets dig a bit deeper and take a look at the facts using a typical small business as a case study.
Security in the cloud vs. in-house security
Small businesses have two options for running systems and storing data. Either in-house on their own computer equipment, or in the cloud. Often a combination of the two is utilised during transition to the cloud or because some legacy systems simply won’t run on a cloud platform.
Option 1: In-house
With the in-house option, lets think about just some of the things that would need to be in place to ensure the security and privacy of the business data. These things are true for individuals too, however they’re usually not even considered by most of us because of the cost and effort required.
- Daily backups including regular checking that data can be restored
- Protection against viruses, malware, spyware and whatever is coming next
- Spam filters
- Firewalls (often multiple layers for businesses) to protect against hacking and unwanted visitors
- Ongoing upgrades to operating systems, software and hardware
- Encryption of highly sensitive data, usually customer or financial data
- Monitoring systems to alert against intrusion activity
This is a long list; and a lot of work and money if done correctly.
Option 2: In the cloud
The alternative is to manage all systems in the cloud and let someone else take care of security. But thats a huge risk right!? You can’t see it or touch it, so how can you control it and be secure?
The reality is that data in the cloud is mostly dramatically more secure than when its stored locally. One reason is that most businesses do not undertake even a fraction of the controls on the list above. However, the primary reason data is relatively secure in the cloud is because the economies of scale of the largest cloud services organisations allow for huge sums to be invested into security best practices. Think of the size and value of some of the most prominent cloud providers including Amazon Web Services (AWS) and Salesforce.com. Like the largest banks, they spend many millions on the security of their customer’s data – many of whom are small businesses.
While it is true and concerning that there have been many well documented cloud failures these last few years, cloud services are maturing and cloud vendors are evolving their services. One key outcome of these failures has been a greater awareness among the major cloud vendors that data must be kept secure and reliably available.
Leading global IT analyst Gartner published a report this month which says that Australian organisations are forecast to spend $542.7 million on Software as a Service (SaaS) in 2013, up 27.7% from $424.9 million in 2012, with SaaS expected to have a compound annual growth rate of 25% in Australia from last year to 2017. So it looks like businesses in Australia are starting to agree that the cloud is a relatively secure place.
Important tips for cloud data security
- Use a cloud supplier with independently and credibly verified data security policies. Ideally those policies would be audited and verified annually.
- Ensure the supplier has appropriate service levels available for the restoration of data and services after an incident. These service levels need to match your own business needs. Think about the impact on your business if your service is unavailable for a few hours, a day or a week?
- Avoid vendor lock-in. This critically includes ensuring an easy method for recovering your data when you terminate your relationship and wish to move to another supplier.
Big Brother as predicted by Orwell
As for Privacy, the US Congress voted on the 25th July 2013 to continue electronic surveillance of its citizens. Need I say anything more?