Cloud Computing is all the rage these days. CIOs seem to be diving into cloud-based solutions with reckless abandon despite the fact that a mistake in planning or execution can have career-limiting effects. So, let’s take a moment to balance the benefits against the potential securiy pitfalls that lie in the clouds.
The really important question is, How safe is your business in the clouds? After all, cloud vendors all aim to put your stuff onto cloud servers, and in most cases, these systems sit outside of your data center and outside of your direct control.
While this may buy you some cost reductions, it carries significant risks. Let’s consider the classic triad of information security: confidentiality, integrity and availability.
There’s no getting around that putting data onto an external server carries confidentiality risks. No matter what your cloud vendor may promise contractually or in its service-level agreement, if its security gets breached, so may yours.
How do you counter that risk? You can encrypt sensitive data, or you can keep the real sensitive stuff off the server. Encryption can be a viable path for some stuff like off-site backups. Being particularly careful about what goes on the server can help as well, so long as you maintain some level of oversight and control over the day-to-day decisions. That is, if you give your users the ability to store stuff on a cloud server, they’re liable to store all sorts of stuff there, blissfully unaware of the security risks.
As to integrity, the risks in cloud computing are relatively small, unless your cloud service provider’s security gets breached anyway. If an attacker breaches its defenses and tampers with your business data, then integrity can become vitally important all of a sudden, depending on the nature of the data.
And then there’s availability. You’re gambling that your data will be available when you need it when you put it in the cloud, betting that the availability won’t be eroded by network outages, data center outages and other single points of failure. You can hedge your bet a bit by going with an industrial-strength cloud provider, but you’ll pay more. If availability of data is important to your business, then you can’t blithely go with the lowest bidder. You need to do appropriate due diligence and find out everything you can about your vendors’ availability, disaster recovery and business continuity plans. “Trust but verify” should be your mantra.
Much of this sounds like Information Security 101. To be sure, there’s a lot of plain old common sense that should be applied when considering cloud solutions.
At my company, we do use some cloud services and get gobs of value from them. For example, we are a fan of Google Docs. It helps us keep our documents synchronized across my various computing devices. But I’m also careful about the data I put there. I keep business-sensitive information on my local hard drives, and generally encrypted.
I’ve also found great value in using cloud services as part of my disaster recovery.
But the bottomline is that it is about balancing risks and benefits.
That’s how we should view cloud services in general. It’s important to make informed decisions before diving into the latest trend. There is value to be found in cloud computing. But rely too heavily on it, or place your deepest darkest secrets on it, and you’re likely to be disappointed.