The Cloud - How safe is your data?

  The cloud...

How much data do you have in the cloud?

For many organisations, the answer is probably: “a lot more than last year”.  The cloud is being used for a growing range of applications – sharing designs and documents with agencies; managing customer data across a variety of email, social media and CRM services; project management; file backup.  For a small organisation without the capital and skills needed to run a large IT infrastructure, the cloud can look like the ideal answer to many questions.

Cloud services work by sharing resources across multiple organisations.  This lets the vendor provide a degree of scalability, flexibility and resilience that no single organisation could afford in its own right.  The vendor is responsible for building the underlying pool of servers, software, etc, that delivers these services, and for providing the skills necessary to manage them all.  Everyone can then access the services they need via the Internet.  A big win for everyone.

Did you spot the problems in that last paragraph?  Everyone is sharing resources.  So there’s a far greater risk that we can all see each other’s data than if we all had our own private servers.  And everything is accessible via the Internet.  We all know that the Internet is full of bad guys trying to hack into our data.  So security is the dark lining to the shiny cloud…

Or is it?  Think about this another way.  Those risks are real, but they’re only part of the picture.  Your data is at risk wherever it is.  Datacentres get breached too; laptops get stolen; CDs get lost in the post.  It’s the relative risk that really matters: is your data any less secure in the cloud than where it’s currently stored?

If you look at most organisations’ data, the current state is pretty scary.  For example:

  1. A lot of data is stored in multiple places.  The master version is in a database on a server that’s secured in a datacentre somewhere.  But people extract copies of this database onto their laptops so they can process it in spreadsheets.  They email copies to themselves so they can access it while on the road.  The pass those copies around via USB sticks.  The master is secure, but the data isn’t.
  2. Most of these copies are “illicit” – they violate the organisation’s security policy.  People need to work with data in ways that were never envisaged when the policy was written, so they find ingenious ways to get their jobs done.  This puts them outside the policy, and hence outside the protection of all the organisation’s security systems.  (As those systems were set up to support the security policy…)  This makes the data doubly insecure.
  3. Most organisations don’t have the expertise to secure their systems anyway.  Large companies can afford a dedicated team of security specialists.  Small and medium organisations can’t.  At best, they have a couple of generalists who have to perform general system administration, handle user queries, undertake backups, manage budgets, etc.  Security is just one task among many.  The bad guys, on the other hand, can afford to be focused.

Weigh up such factors, and the cloud might start to look pretty attractive.  If you use a cloud-based analytical service, for example, people will no longer need to download data to spreadsheets.  If they can access cloud data while on the road, then they won’t need to email copies to themselves.  Likewise, they won’t need to pass around so many USB sticks.  Moving more data to the cloud may actually result in a net gain for security.

And cloud vendors need to be secure if they’re going to sell their services.  So hiring security specialists and building the best possible security infrastructure is mission critical for them.  They can’t afford not to invest in security if they want to maintain their reputation.  As with scalability, flexibility and resilience, a good cloud vendor should be able to provide a degree of security that none of its clients could afford in their own right.

You still need to be cautious about security in the cloud.  Many vendors haven’t yet achieved that level of security.  You need to think carefully about just how you will share data.  Think about the risks and address them.  Don’t let them drive you away from the potential benefits of the cloud.