I have read several articles recently that suggest CIOs are moving to the cloud while ignoring security concerns. Some note that cost savings or profits trump fear; or that people are not as concerned about security as they should be. While that may be the case in some instances, I do not believe that is the entire story. There are people who have performed assessments of their cloud opportunity, versus the security threat or risk, going beyond sticking their fingers in their ears, singing “la, la, la”, and wishing the threat away.
Here are four of the more responsible reasons I believe cloud adoption continues in the face of security and privacy concerns:
1. You don’t always need the most secure, most resilient service. As I mentioned in a previous post, “not all needs are created equal.” I am confident some CIOs and IT teams have figured that out and are moving the appropriate applications and data to cloud services that offer an appropriate level of security, as opposed to ignoring security concerns in favor of lower expenses or higher margins. As I mentioned in that post, recognition of this enables businesses to achieve the many benefits of cloud computing while keeping cloud service costs to a minimum.
2. It’s not more secure because it’s on premise. As many have mentioned previously, a system is not inherently more secure because it is on-premise; and it is not inherently less secure because it is cloud-resident. In many cases cloud economics enable providers to employ top talent that would be out of the reach of many of their customers. We have heard stories of “sophisticated” on-premise security schemes such as locking the server room door. Providers can, and must, be laser focused on security. In addition, cloud consumers must remain diligent and understand the level of security their providers can deliver. We cannot abdicate our duty to appropriately protect privacy and data. So, perhaps some of those increasing their cloud adoption are working with their providers to ensure data is appropriately protected.
3. Providers are stepping up. In the wake of the NSA revelations many providers are working to provide more sophisticated means to protect their customers’ data. Though three things remain important in this context: The level of security some cloud providers can deliver at this moment may be equal to, or better, than what many can provide on-premise; We must still be diligent to understand what level of security is provided; We must ensure that our assets are protected by an appropriate level of security (which may not be the highest level possible).
4. They’re not only interested in cloud. Consider this for a moment. Does it make sense that organizations that want sensitive data would only look to cloud services? While cloud services may certainly be “target rich environments,” there are plenty of other items of interest that are on-premise. Though we hear of on-premise breeches from time to time, private organizations that are compromised tend to keep those quiet, if possible, for a host of reasons (e.g.: to protect their reputations, to avoid others exploiting the same weaknesses…). Furthermore, some of the snooping schemes responsible for the recent buzz are extremely sophisticated and were no doubt created and refined over many years – likely having been born before modern cloud computing. So we must also ask whether our on-premise solutions are any less susceptible to that kind of compromise. In some cases cloud services may provide security that is equal to, or even better, than your on-premise services.
So I am hopeful that many moving to cloud computing have a well-considered rationale that goes beyond “forget security, look how cheap this is!” I believe that many have considered one or more of these alternatives, though I am confident there are many others. If you have made the decision to adopt cloud services we would be grateful to learn of yours.