Is Your Data Safer in the Cloud?
Questions you should ask your vendor
Everyone’s heard the cheerleading for the cloud: it enables rapid innovation, collaboration, mobility, and access like nothing else. And with all the cut-throat competition these days, you can add affordability to the list.
But despite these benefits, many IT professionals and executives have serious—and understandable—concerns about turning over their company’s data to an outsider.
“This question of security and compliance in the cloud comes up all the time,” said Adam Swidler, global head of solution strategy at Google Apps. [00:23]
In many instances, the cloud can offer you greater security than storing data in-house, Swidler said. But you shouldn’t leap into it blindly. Security problems are a very big deal, and you need to learn how your cloud provider deals with them before signing on the bottom line.
Scope of the Problem: Scary-Big
Threats abound both inside and outside an organization. Externally, broad-based security hacks like Target’s make headlines all too regularly, and a 2013 Verizon study found that 86% of data breaches come from the outside. For internal breaches, over 50% come from employees who no longer work for the place they invade, managing to get in through old accounts. The most embarrassing fact: 66% of data breaches take months, if not years, to discover. [2:46]
When you look at how businesses handle security internally, you can see why there’s a problem. Companies have hundreds of servers and innumerable variations of software, all of which require critical security patches from time to time. Yet the Verizon study found that it takes most businesses 25 to 56 days to get these updates installed.
Another problem: 53% of workers are using their own devices for work. Which is a wonderful convenience—until their thumb drive disappears (66% of owners admit to losing one) or their laptop gets stolen (two million cases occur every year). [3:03]
Enter the Cloud
Large cloud service providers have the resources to relieve many of these security headaches. They have thousands—even hundreds of thousands—of identical machines running on the same stacks of customized software, making patches quick and easy. They hire hundreds of security professionals devoted to handling that task alone, as opposed to a harried on-site IT manager with a dozen other tasks to complete. [4:40]
That’s a good answer to a vexing problem, but it doesn’t go deep enough. To make a decision about a cloud provider, you need to look at all the sources of security risk and evaluate the provider’s ability to deal with each of them. There are four basic areas where breaches can arise: from hackers, from your own staff, from the service provider’s staff, or from governments. [7:18]
Threats from Hackers [7:23]
To guard against direct attacks on a data center, your provider should have hardware that is custom-built and uses a hardened Linux software stack. They should provide external security verifications. Ask the provider if they use their system at their own company. [7:56]
The vendor also needs to protect against network eavesdropping (the kind of spying the NSA has been caught doing). [8:29] They should be using SSL encryption everywhere possible and should be running an algorithm behind the scenes that looks for suspicious anomalies that might indicate snooping. Some vendors have an enhanced version of SSL that makes it impossible for someone to record an encrypted session, store it, and later decode it.
The provider should offer transport layer security (TSL) for email communications.
Denial-of-service attacks are another hot-button area. They have gotten increasingly sophisticated. Ask the vendor how they plan to prevent them. Large cloud providers should have systems with built-in redundancies.
Threats from Your Own Staff [10:10]
Sure you trust them, or you wouldn’t have hired them. But that doesn’t mean they won’t lose their iPhone, iPad, Droid, or other device that they’re now using for work as well as play. [10:50]
The cloud won’t make them any less absent-minded. But chances are if your company is using the cloud, the amount of data that lives on workers’ devices is limited. With cloud collaboration platforms, there’s no need for employees to download massive amounts of your data to their own devices. And you can use mobile device management strategies to track a phone’s location or wipe data when necessary.
You do need to make sure your provider offers strong authentication for everyone who accesses data. [11:54] Make sure their solution will integrate easily with your existing system.
Learn how the vendor handles permissions. Can you make changes easily? Does the vendor offer different levels of access, like ability to view, edit, or comment? [18:41] Do they provide protection against data leakages, or do you need to get that from a third party?
Threats from the Service Provider [13:00]
Ask the provider how they handle unauthorized access, data leakages, and system outages. And make sure the contract clearly states that you alone own your data. That will give you coverage if you suspect the provider has had unauthorized access. Make sure the provider has tight internal controls. Ask if you can require background checks on their employees. Does the company do third-party security audits? If so, ask who the third-party company is.
You should make sure the vendor has a clear definition of security and privacy requirements. Look for evidence that they have a culture that takes these concerns seriously.
If you do business in Europe or have users there, make sure the cloud company complies with privacy documents created by the EU.
Finally, ask the vendor about outages and downtimes. How often do they occur, and how long does it usually take before the system is back up? How much work do users lose?
Threats from Governments [23:19]
We’ve all read about government spying and, in some countries, government take-downs of sites they feel threatened by. Ideally, you want your cloud vendor to be as transparent as possible about government requests for your data, whether they come from the US or abroad. Find out if they can give you information about requests and whether you can be in on the process. If you do business in Europe, ask if the provider is certified under the EU’s “safe harbor” program.
Security Certifications [23:19]
Some cloud providers won’t allow you to do a security audit yourself, but they will allow a third party to do it. If that’s the case, ask if you can see the audit summary, or better yet, the full detailed report.
Moving to the cloud means trusting your company’s sensitive data to an outside party. It’s not an easy step, and it shouldn’t be taken without a thorough investigation of the vendor’s security systems. You need to go over each type of threat with the provider and make sure they have answers for all your concerns. Carefully read the contract and service level agreements and have the provider answer all your questions to your satisfaction before you sign.
Moving to the cloud is not a snap decision by any means. But if you do your homework, you can definitely achieve an environment that is highly secure. [33:04]