Despite cloud technologies being adopted at a relentless pace there is always a question mark about security. In fact, it’s the thing I’m most often asked about. Of course, any would-be user of cloud services must ask the questions: ‘Where is my data, who has access to it, and how it is being protected?’ These are valid questions.
However, I believe that many of the fears around cloud security are largely unjustified. To start with, the word ‘cloud’ creates a sense of intangibility, in which data apparently floats around in some kind of stratospheric no man’s land and is zapped down to a physical location when it’s called for. This perception has partly been brought about by the hype surrounding cloud technologies.
But as we know, and despite the airy terminology, cloud servers are real servers located in real concrete structures, built upon hard terra firma. It’s important to find out where your physical data is held if you can. For example, due to data protection legislation you may want to store your data in a local territory rather than a foreign jurisdiction. Well, you can, as long as you use the right service provider and define an appropriate service level agreement.
The distinction between public and private clouds has also fuelled the fear and uncertainty.
Service providers offer public clouds over the Internet to deliver resources such as applications or storage to a wide variety of customers. Despite use of the ‘public’ Internet, data can be securely encrypted as it’s transmitted. Private clouds, as the name suggests, are cloud infrastructure or services operated for use by a single company, where that company controls who can access the cloud services. These can be hosted either within a company’s data centre or at an external third party’s data centre.
Despite the relative newness of the cloud, the approach to security should be, and is, the same as for any other IT infrastructure. Identities need to be authenticated, users’ levels of access to specific data needs to be managed and data needs to be backed up and protected. In short, the same rules and concepts need to be applied to the cloud as to other IT infrastructures.
I touched on this point in an earlier blog when I drew a parallel with the uncertainty around online banking when it was first introduced. Lots of people said it would never work but they were wrong. For sure, there have been steep learning curves for both banks and customers but today online banking is the preferred and often the only channel for millions of people.
Service providers have a deeply vested interest in ensuring their clients’ data is well protected. It’s their business to do so. If they leak customer data they may as well put themselves out of business and that’s why they do all they can to ensure security. This often consists of the best technologies and multiple layers of defence, typically exceeding the measures that many companies take themselves. This ‘optimisation’ also extends to replicating and securing the data across multiple locations.
The security policies that apply to an on-premise infrastructure should also apply to a cloud infrastructure. However, it’s important to establish security policy flexibility with a service provider so changes can be made in line with the customer’s changing requirements. From the outset, these issues should be nailed down in the service level agreement. This addresses the perception that companies lose control when they use cloud service providers.
In summary, I would say the fear around cloud technology security is for the main part without foundation. Of course, attack methods are evolving all the time and service providers tend to be targeted with frequency. But that said, security is just as much – or more – of a challenge to many in-house teams . Arguably the cloud providers are more up-to-date with their infrastructure technologies thanks to their business model which shares investment costs amongst several customers. And this is important, because at the hardware and software level, innovations are constantly coming to market which will make the cloud a safer and safer place to operate.