Cloud Security: Are people’s concerns justified?

The advantages of Cloud-computing are well-documented yet security concerns about this delivery model appear to be dampening its widespread adoption. There is no doubt that services in the Cloud – in all forms – offer a new, more efficient, and economically attractive model yet some organizations remain cautious.

Three of the most common questions asked are ‘How is my data protected?’, ‘Where is my data?’ and ‘Who has access to my data? These are valid questions and ones that any organization considering making a move to the Cloud should be asking. Threats to an organization’s security are a reality and I would expect a business owner to ask these questions and others too.

But when looking at Cloud-based services, are the security concerns any different to those that businesses have been facing for the past 30 years? I don’t think so. So while these concerns are justified, I would argue that they are unsubstantiated because the approach to security should be no different if it’s in the Cloud or on-premise.
Let’s address each question separately.

‘How is my data protected?’

It in the interest of every vendor offering cloud-based services that its clients’ data is secure and protected. In a country like the United States where a lawsuit could result in material punitive damages for a business, Cloud-based solution vendors do their utmost to protect the data they are managing. They have to out-perform because they know that a single incidence, a single breach could lead to litigation and significant risk. Therefore, Cloud-based solution vendors not only have the latest technology, the latest firewalls, the best datacenters and the highest levels of redundancy possible but they will apply multiple layers of defense in-depth that your average business (a Fortune 500 company may be an exception) can never have. Thus, if the cloud-based vendor can offer such a high level of security that is beyond what an SMB can provide, isn’t this concern irrational?

‘Where is my data?’

If Cloud-based solution vendors are going to extremes to protect their clients’ data, rest assured that they are also using optimized mechanisms to replicate and secure that data across multiple locations. If a business’s security concerns are being addressed, the location of its data should be of little concern. That is why I’d argue that this fear is also not justifiable.

‘Who has access to my data?’

I would argue that clients’ concerns should focus on how flexible the service provider is in meeting their requirements. In choosing a vendor, the existing security policies adopted must meet the needs of the business paying for the service. Moreover, if the client’s security requirements change, these changes must also be reflected in the security policies implemented by the Cloud-based solution vendors. What has changed with the Cloud is the extent that security policies can change. For example, if an employee is made redundant, you would delete his account and block all access to the network. When using a Cloud-based service, you now also have to block any access rights to the data that is stored in the Cloud. The concern that an employee could take confidential data with him is the same in both cases. The process to stop that requires additional policies. This is why it is so important that a vendor’s security policies are flexible and can change as their clients’ needs change.

Organizations also need to look at associated costs if they decide to change vendors. The decision to choose a cloud-based solution vendor must be based on the following rule: if the switching /migration costs are greater than the annual subscription costs, then it is wise to steer clear and avoid unnecessary risk.

One final point I’d like to make is that security issues may have changed slightly with this delivery model but the approach to security should be the same irrespective of where the data is kept – on-premise or hosted/managed in the Cloud. The same best practices apply. Good business judgement is still required. What I do believe is that security in the cloud will be better than anything a small or mid-size business can implement.

About the Author: Walter Scott (CEO)

Walter Scott is CEO at GFI Software. Walter most recently served as the CEO of Acronis, a provider of scalable storage management and disaster recovery software, where in the space of three years he increased revenues from less than $20 million to approximately $120 million for 2008. Prior to joining Acronis, he was CEO of Imceda Software where he executed a combination of leadership and marketing strategies that resulted in a successful sale of the company to Quest Software for $61 million. Walter was also instrumental in Embacadero's successful IPO in 2000. He started his career in sales with Banyan Systems where he contributed to the growth and success that lead to Banyan's IPO. Walter holds a Bachelor's degree in Marketing and a Masters Degree in Business Administration from the University of Maine.