The Cloud. It is everywhere you turn. Vendors that stand to profit by it tell you to embrace it. Vendors that stand to lose market share to it tell you to fear it. At two conferences this month, I heard both views espoused by vendors and consultants alike.
Then, over dinner, I heard a chunk of reality. A fellow attendee was complaining about a current cloud vendor. The vendor hadn’t done anything wrong except fail to deliver a security feature he needed. He was a little frustrated, but for a good reason. His specific security requirements were not being met in the cloud. This was not fear, uncertainty and doubt (FUD). This was a legitimate concern, and it was refreshing to hear.
Fear, uncertainty and doubt
Most of the negativity you hear about cloud vendors is about security. Their competitors claim that the cloud is not secure. They claim that your information is out there for anyone to take. They claim that the cloud could go down and take your data with it at any point.
They are correct on all counts.
They neglect to mention that your own data centers are not secure. They neglect to mention that the information on your corporate systems is sitting there, waiting to be taken. They have forgotten that even the best private data center has outages, both planned and unplanned.
No system is ever 100% secure. The goal is to be secure enough that the reward for breaking in does not equal the cost. The goal is to be secure enough that the hackers move on to an easier target. The goal is to make sure that the damage that occurs from a breach is minimal.
Cloud vendors can hire better security professionals than most corporations. They offer more money and stock options. Show me a security expert that would rather work a corporate job than for a Silicon Valley startup, and I’ll show you an expert that has lost their fire.
The goal is to be secure enough that the reward for breaking in does not equal the cost.
Cloud vendors are building business models based on trust. They cannot afford a breach of security. If they are more than a few years since inception, their security is likely very good. Either that or you have seen them in the news.
After removing the FUD, what is left?
Let’s shift back to the conference conversation. The attendee was sharing how a particular encryption requirement was not available with the vendor. He wanted to be able to hold the only keys to the encrypted content. It sounded like a reasonable requirement. I would have loved to sit in on a conversation with the attendee and the top security person at the cloud vendor to understand both sides.
The reason that there is two sides is that many organizations have too many security requirements. Some are features that only come into play when the first or second line of defense breaks. Many features only matter when the hacker has already gained full access to the IT infrastructure. At that point, it is too late. Those extra features primarily act as a security blanket.
The security key feature makes sense. If the client is the only one with the keys, they do not have to worry about the cloud vendor’s employees gaining access to the content. Distributing the keys could be a problem as any mechanism that automated the distribution could readily be hacked by the vendor’s administrators. Still, it is one worth discussing.
Trust is vital
Which takes us back to trust. When you hire your own system administrators, how far do you look into their background? Even if you do, how do you know you can trust them? Booze Allen thought they could trust Snowden after his background checks. At some point, you have to trust that person and hand them the keys.
When it comes to vendors, we trust that they will deliver software that will not corrupt or delete our information. We trust that there are no backdoors ready for exploitation. We put our trust in vendors. For cloud vendors, we have to have a deeper level of trust. We have to not only trust the software, but we have to trust them with our information.
When evaluating cloud vendors, ask them about their security features. Have your top security expert talk to their experts. Research them to see if there have been past breaches. If there was a breach, find out how they responded?
Most importantly, ask yourself if a security feature is absolutely critical or just an excuse to find a reason to not trust the vendor. There are too many benefits to the cloud to let fear stop you from using it.
Laurence Hart is a proven leader in content and information management, with nearly two decades of experience solving the challenges organizations face as they implement and deploy information solutions. Follow Mr. Hart on his blog, Word of Pie, or on Twitter @piewords.