With multiple data breaches in the news on what seems like a weekly basis, companies are understandably “twitchy” about making sure their data is protected. It’s a big job. What is at risk is not just proprietary data, but usually customer data too.
Many companies are bombarded with sales reps showing cloud services as the shiny penny that will fix their issues. This isn’t to say that there are not reputable cloud vendors or that cloud doesn’t have a role in the security conversation. But it surprises me how many companies will quickly trust others to “secure” their data. Company data is not “secure” even if it is under the company’s own control, how could it be any more “secure” outside of their control?
Yes, there are advantages to going to the cloud. For example physical tapes have vulnerabilities, especially if they are just thrown on a shelf and are not replicated in a geographically distant location to protect against weather disasters and other catastrophic events like fire and flooding.
But cloud is not the be-all-end-all panacea that brings 100 percent certainty about security.
Do you think the people in charge at NSA were told that their data was secure?
Do you think management at Target were ever told that their data was secure?
This list could go on and on.
Heck, what does the word “secure” even mean? I lock my truck at night when I park it in my own driveway. Is it secure? It could be stolen in seconds. People lock their homes (secure them) every day and every day homes are broken into (even the ones that are secure).
The same is true of data. No data on a computer is “secure” from hacking unless it is unplugged from the internet. And even then it is still open to prying eyes from employees. Security is about managed risk, i.e. how much risk the company can bear and still stay open, whether it is downtime at stake or the breach of proprietary and customer data.
The potential for downtime is worth its own blog. No server can stay running 100% of the time under perfect conditions. That’s why I get so passionate about using software to manage risk. Message monitoring software doesn’t bring a 100 percent security, any more than cloud does. But it is a powerful tool to manage risk. It’s that heads-up that tells you via text and email:
WARNING, your server is nearing capacity
WARNING, there is a power outage
WARNING, there are multiple password attempts on this account
WARNING, tape is running out.
These are only a few of the sentries you can set with message monitoring to manage risks for real-life unfolding security dramas that affect your data.
The cloud question was very effectively framed in a blog I read last week Steve Pitcher, a specialist in IBM i and Enterprise Systems Manager.
Take backup, recovery, and high availability for instance. Don’t assume that the low default sticker price ensures that your data is being backed up or is highly available. In case of disaster, what’s the recovery time? Where are you on the cloud host’s priority list? Having a high availability configuration (if there’s one available) will most likely require you to pay a premium. The same goes for offsite backup storage. Do you require that your data goes to tape and is available for 5, 7, or 10 years? Is the restore procedure cost covered under your contract or is that a per-incident cost? Does the cloud vendor even have a recovery option in case you deleted an important file?
Privacy of data is another major concern. Your data may be encrypted on cloud vendor systems, but is it your encryption key or the vendor’s? Are you comfortable with a vendor having the encryption key? Many questions need to be asked when entertaining putting any data in the cloud.
The take-a-way in the cloud conversation is that we have to recognize that while cloud may bring some security benefits, it also brings with it risks that have not been fully articulated, since it’s a relatively young service. We have to be on guard against being drawn to the shiny penny that may end up costing us more, and that can bring false assurance about the security benefits. The road to security still lies firmly in our own hands in how we control access to information and how well we anticipate potential blind spots.