The first objection, and most common concern, I hear from customers about moving to cloud-based applications is security. How can we protect our data if it’s not on our servers, in our data center, and under our control?
To answer the question, I first need to narrow our definition of the cloud. For the purposes of this post, when I say cloud-based applications, I am referring to multi-tenant, quasi-public, Software-as-a-Service (SaaS) applications or platforms. I am not talking about what some refer to as private cloud environments. AccuCode moved to Google Apps about five years ago and today has a business unit that helps other companies move to Google Apps. So it’s the one I am most familiar with. Google Apps is the poster child for the multi-tenant cloud but there are many others.
It’s my opinion that public, multi-tenant applications are more secure than most of the systems you run in your data center and/or private cloud environment.
The following is a list of reasons why I believe this to be so.
#1 Lock them up and throw away the key.
Your applications and data are no longer on your servers in your facilities. Every IT security expert on the planet will tell you that your employees are the biggest security risk you will ever face. Either by accident or malice, they have a lot more opportunity and motive than any outsider will ever have. I’ve seen it happen many, many times. A server gets unplugged to be re-commissioned, except it was a production server with really important data on it. Oops. Real statistics back this up. Most security breaches involve at least one insider. Getting that information off of your servers and out of your facilities is the most effective thing you can do to improve reliability, uptime and security.
Google spends (and can justify spending) more money on redundancy and IT security than any company or country in human history. Google is now the 4th largest manufacturer of servers in the world. They do not sell them to anyone, they consume them all themselves. Keeping their systems up and your data (and theirs) secure is mission critical for them. If they fail, their credibility suffers and the billions they have built in shareholder value are jeopardized. They have designed this need for security into every layer of their architecture. Can you say the same about your environment? How much does your company spend just on IT security? Would you say it is mission critical to the success of your business? Is it a core competency? For most, the answer is no and not nearly enough. The reality is reliability and security are requirements for any vendor of scale in the cloud. If they fail to deliver it they are out of business. For most companies, security is an afterthought, like IT in general. We picked the tools we liked and then tried to figure out how to secure them after we acquired them. Security is an emotional check box for most, “The vendor says his application is secure. Check the box, feel good about it.”
#3 Hiding in plain sight.
In a public cloud environment, you, your domain, and all the data associated to it are very well hidden. In storage, all the data is encrypted. In transmission, all the data is encrypted. Your data model can only be identified by a set of random key identifiers. Can you say the same about your current environment? Here’s the analogy I use to explain it to customers. Imagine the Orange Bowl filled to capacity with middle-aged males, all dressed exactly alike. Each with a random number on their back. Now, you have about 120 seconds from the time I say go to find the one guy in that crowd you are looking for. Oh, and by the way, you have to crack the encryption algorithm first to figure out which guy you’re looking for. That is what a hacker faces when trying to get at your data models inside of Google Apps. Except he has to get through multiple layers of security before he can even see those data models. Now think about your current environment or, worse yet, a private cloud environment by comparison. There you are the only one in the stadium and you’ve hung up a neon sign that says, all of our really important stuff can be found HERE. Great, now the bad guy knows exactly where to break in.
#4 No more copies of copies.
Ever worked on a project with an internal and/or external team where some set of documents or presentations got passed back and forth? Everyone making their edits and comments and then trying to bring it back together in a unified version? In the cloud, that stops; now there is one copy and it lives in the cloud and we all share it in real-time. If you are authorized you can see it. If you’re authorized you can edit it, with me or a whole team, but there is still only one copy (unless someone makes more). Well in the first scenario, every copy becomes another potential security threat. Within your legacy environment today, there are tens or hundreds or even thousands of copies of your company’s sensitive data on servers, back-up tapes, PC hard drives, thumb drives, email in-boxes, PST files, and personal backups. In the cloud, this can stop and not only does it save massive amounts of storage, it is fundamentally more secure. An admin can go in and cut off anyone’s access rights to your domain and they are out. It only takes a few seconds and can be done from anywhere. They don’t have copies, they can’t pull a hard drive, or just walk out with their laptop because the data stays in the cloud. This doesn’t mean it can’t be copied if they do have access, and nothing is ever going to be completely secure, but this approach is more secure than the current legacy systems.
With cloud-based solutions, you are always on the latest release. Every time your web browser refreshes, there is an opportunity for new features, new functions, and new code behind the screens. That means if there is a security hole, it can be patched for all users in a matter of days or hours. In your legacy systems that just isn’t possible. Your IT staff has to get the updates, bring the system down, install the updates, bring the system back up, and then test it. If they don’t keep up with the updates (almost no one does) then your system may not be secure. Worse, if they get a couple of updates behind, they may have to go through this entire cycle for every update release in order to get to the latest release. This is of course if you’ve kept your maintenance/support contract up to date. Otherwise you don’t get the updates. In the cloud, this entire process just goes away.
I’ll stop there, but I could keep going. The reality is, if implemented correctly, cloud-based solutions are MORE secure, not less.
If you’ve made the move to the cloud and either agree or disagree with these observations, we would love to hear from you. If you haven’t and you are still on the fence, give us a call or post a question, we love to be of assistance.Learn more about this topic at scansourcecatalyst.com >Learn more about this topic at scansourcecommunications.com >Learn more about this topic at scansource.com >Learn more about this topic at scansourcesecurity.com >