Sitting in a meeting with a partner of ours, who provides cloud-based desktop and application services, I was struck by a statement by one of the company founders. He said “Yes, we provide customers with an efficient way to access their corporate data, consume application resources in the cloud, and drive down costs. But I’ve always maintained that our number one value to our customers is that we protect and secure their data.”
An interesting take, considering that the #1 concern many have over using cloud services is the protection and security of corporate data in these multitenant, shared platform environments. His contention is that with a company’s data and access tightly controlled via a defined set of technologies, protocols and service level agreements, the chances of leakage are vastly less than in the traditional LAN environments. And, I have to say, it makes a lot of common sense.
Keeping control of your intellectual property and private dataset is a challenge that goes back to the Stone Age. Man guarded any information that may affect his ability to survive, such as the location of good hunting grounds or where drinking water could be found. He did this by keeping the knowledge to himself and passed it down by word of mouth to the next generation. In this manner, the information could not be stolen or misused, unless that next generation chose to do so.
Early libraries were a way of controlling access to information and knowledge, by centrally locating the data and putting protections around it. Even today, public libraries have safeguards that require some form of identification, and they maintain records of access.
In wartime information that needed to be secured but also distributed lead to the evolution of coding and cyphers. Codes could be broken through brute force or via defections, and so the need for constant monitoring and evaluation of the validity of the coding process was instituted. In this way, data no longer had to be centralized to be secured.
Unless everyone in your organization has a photographic memory, you have to put your trust in external solutions at some point. Think about your current “private” network. You rely on various technologies to provide protection: your firewall, AV/Malware scanning, disk encryption and device access control, etc. But are those solutions really YOUR solutions? Did you write the code and create the protocols? No, you selected a set of solutions that mapped best to your own requirements. Sure, you have the ability to adjust and modify, to some degree, the configuration and implementation of these controls. But it eventually comes down to trusting in the creators of the solutions.
Even in today’s most sophisticated environments, the risk of exposure is ever present. I recently read an article about the infection of exclusive networks controlling the Air Force drone fleets. While the networks are encapsulated, mobile drive devices were used to move data out and back into them. So, while the technology used to secure these networks was sophisticated (and I’m sure VERY expensive), it all came down to a PIC (problem in chair) event.
Your “private” network is mainly made up of a mixed bag of components that all have their strengths and weaknesses. Not to mention that you put that technology directly into the hands of a group of users who may or may not have your best interests at heart, or who may become disgruntled, dissatisfied or persuaded to violate your trust in them. So, keeping that in mind, if you were to physically remove the data from the people, isn’t that inherently more secure?
As we have progressed technologically, the ways we protect our data have had to evolve, but the basic principles remain the same:
Identify the risks
Define what techniques are necessary to provide protection
Enable access only to those required
Negotiate penalties and punishments
Test your security measures
Train your people
Yesterday’s solutions are today’s vulnerabilities (ok, a little weak but I need the Y…)
The argument’s pro and con on the ability to secure data in cloud solutions will probably go on forever. Every breach will probably lead to wails and protests amongst the detractors. See, they will say, you can’t secure what you don’t control. Trust no one but yourself.
Some of the greatest breaches (per http://datalossdb.org/) have been made on data assumed to be secure because it was on a corporate controlled system when stolen: Heartland, TJX, Sears, CardSystems. Have these breaches greatly altered the way we conduct business today? If you think so, ask yourself these questions:
Do you still use credit cards at retail stores?
Do you bank online?
Do you only pay government fees with cash?
The moral here is that you trust the security partners and vendors whose products and services you utilize on your private network. AND you trust your users not to abuse the confidentiality assumed by their employment. The basic principles of security are not foreign ideas or technological impossibilities in the cloud space. Do your homework, trust in your selection process, and think of how to utilize cloud services to enhance your data protection and security profile. Your thoughts?