If you think the cloud isn't secure you're dead wrong

By Rick Spickelmier , written on November 20, 2013

From The News Desk

There's a debate that takes place in the cloud and it has to do with security. You know: all that data sitting there, so tempting to spies, hackers, and other data addicts.

The debate is a three-headed hydra. Some commentators point out the frequency of government requests for personal data, and the inability of cloud providers, such as Google, to block these requests. Cloud champions point to all the new security intelligence, analytics and preventative measures companies are taking to prevent data breaches in the cloud. Still others argue that the cloud is no more or less secure than enterprise data centers.

One thing everyone can agree on is that the cloud market is growing at an impressive rate. By the end of 2013, the global cloud services market will be worth $131 billion, according to Gartner. By 2015, it will be $180 billion. Wikibon reports that 60 percent of CIOs consider cloud computing their top priority and 84 percent of cloud users cut application costs by moving to the cloud, saving an average of 21 percent annually.

The popularity of cloud storage and computing is also driven by the sheer growth of information. According to the International Data Corporation (IDC), the global store of data will grow 300-fold between 2005 and 2020 to a total of 40 trillion gigabytes. Yet, the IDC reports that just one percent of this data is currently being analyzed because only a small portion has been explored for analytic value.

The cloud is recognized as the most cost-efficient place to store this data, and from a computing perspective, the easiest place to explore huge collections of data from different sources for analytical value. Trying to integrate social media, CRM, inventory management and transactional data, to name just a few sources, overwhelms most in-house databases.

Still, for individual businesses, the most common concern is that the public cloud is risky because you don’t control and manage security for the servers with your data. I would argue that organizations actually have far less control over their in-house data than they might believe.

Since 2005, Privacy Rights Clearinghouse has identified 3,963 public data breaches involving more than 616 million records. The leakage of social security numbers, financial information, insurance numbers and other sensitive data stored on hospital, university and corporate data centers is common. Yet despite hype in the press, breaches of cloud providers are few and far between. The most recent is the breach of MongoHQ, a NoSQL database hosting service.

Here’s the point: Of the 404 breaches and 9.1 million records lost so far 2013, 272 or roughly two thirds involved lost, stolen or discarded devices (computers) and paper records, insiders, payment fraud and unintended disclosures. Employee errors, criminal intent and physical robbery are not the security threats we normally think about. Indeed, if employees stored more information in the cloud and less on computers, laptops and vulnerable company servers, many of these leaks would not have been possible.

In 120 of the 404 cases, hackers broke into data owned by companies (including MongoHQ), medical groups, financial firms and government agencies. Apple, Adobe, US Airways and Stanford University were among the victims. If their in-house security is vulnerable, why are you convinced your IT department can do better?

The idea that your data is safer in-house is simply a myth. In many cases, having “control” of sensitive data means putting it in the hands of IT departments that wear too many hats. They cannot dedicate the time and money necessary to defend against such an immense range of internal and external threats.

Top cloud vendors, on the other hand, live and die by their security and ability to provide access to the data. They invest far more in physical and digital security infrastructure than most corporations because of economies of scale. Unless your company is willing to secure your datacenter with biometric scanning and advanced surveillance systems, or invest in encryption methods, third-party certifications and regular testing against attacks, you cannot provide the security that top cloud providers offer. In many cases, companies who move to the cloud get security they didn’t have and never knew they needed.

Some experts have touted private cloud as a good compromise between controlling data and getting the benefits of virtualization. The CIA, for instance, has awarded Amazon with a $600 million contract to provide private cloud infrastructure.

The overwhelming majority of organizations don’t need that degree of security. In the long term, private clouds make less and less sense. It is a bit like owning your own power plant—an extreme luxury and one that is probably not necessary. Some organizations may choose private cloud for more specific service choices, auditing requirements or regulatory concerns. In other cases, CIOs and other decision makers will choose private cloud as a compromise when team members are fearful of public clouds.

For most organizations, the great pooling of resources, freedom from operating servers, economies of scale and infrastructure-as-a-service (IaaS) subscription model make public cloud a much more appealing option. Ultimately, I would argue that some cloud is always better than none, even if the migration starts with private cloud.

The debate, though, should no longer be about using the cloud or not using the cloud. The debate should be about how well the cloud providers secure your data. In my opinion, you should not settle for anything less than a near perfect record of disaster. If a provider does not have redundant systems for HVAC, power and network connectivity, move along. If they don’t have regular third party audits, vulnerability assessments and penetration tests, think twice about trusting your data with them.

Insisting that data remain on premise is like arguing that money should be stored under a mattress or buried in the backyard. The added control actual becomes a liability to the money, and a wad of cash under your bed cannot be invested nor is it secure. In the case of data, bytes stored in-house cannot be integrated, analyzed and acted upon in a meaningful way. Data collection without the cloud is an investment with little return.

We’re nearing a point where “cloud” will not be a buzzword but simply a fact of computing. Debunking the myth that the cloud is not secure is a first step towards bringing about this change.

[Image via Thinkstock]