Cloud computing and its potential to offer powerful computing and data storage options to even bootstrapped small businesses at highly competitive prices have generated plenty of excitement in the industry. So much so, however, that critical questions regarding the security of the data stored “in the cloud” are often overlooked by its most enthusiastic adopters. It’s understandable, given the heavyweight names behind some of the biggest cloud computing projects in the world. (Google Apps, anyone?) If companies like Cisco and Oracle are betting their futures and fortunes on cloud computing, surely that must mean that all the kinks have been worked out already, right? Or at the very least, security must be a top priority for them as well, given their zealous approach to network security in general, and we can all enjoy the trickle-down effect of their tireless efforts to firewall our data from any and all security breaches.
Well, yes and no. Cisco CEO John Chambers admitted as much in a speech he delivered in 2009 that, while cloud computing presents innumerable opportunities, it’s also a “security nightmare.” And with good reason. Some of the security issues that cloud computing providers must address in order to allay customer fears include:
- Multi-tenancy issues. Cloud computing, by definition, involves shared data storage among a number of users spread across multiple companies and locations. Providers must be able to reassure corporate clients that users from another company will not be able to gain access to – accidentally or otherwise – their account and information.
- Data loss and recovery. What happens in the event of a catastrophe that results in data loss? Does the provider have a rigorously and regularly tested backup solution to ensure data recovery? If a problem occurs in one client’s account that results in data loss, does the provider have fail-safe systems in place to ensure that a devastating cascading effect doesn’t occur that will lead to data loss among their other clients? What if the cloud computing provider goes out of business, is bought or taken over by another company, or declares bankruptcy? How will its clients be assured that their sensitive corporate data won’t be lost in the transition or closure?
- Storage and hosting information. Where is the data itself physically stored? Are the servers somewhere in Silicon Valley, Chicago, or Bangalore, India? Who provides the actual hosting services? If the host provider is a third-party, has the cloud computing provider properly vetted its credentials to ensure that they adhere to industry standards for data security?
- Security tests and updates. How often is the software or platform updated? How often is it tested? During and after testing, does the provider have systems in place to ensure that any updates or tweaks not result in security breaches? You’ll want to make sure that unauthorized users – from your company, your provider or a third-party – don’t inadvertently gain access to your information.
- Compatibility of different security policies. If your company has an established security policy regarding sensitive client and corporate information, does it differ from the policy offered by the provider? Is the provider willing to meet your internal standards of security? What about third-party companies with whom the provider does business and who may be involved in some way with the service? Will they adhere to your corporate standards as well?
- Collaboration issues. One of the most appealing benefits of cloud computing is its ability to promote collaboration among its users, either with internal staff or external parties. Does the software or platform provider have systems in place to ensure that collaboration doesn’t compromise security?
- Human resource issues. Who within the provider will have access to your company information? Who is in charge of data security? Are they made available to you to discuss any concerns you may have? Can they adequately address your questions to your full satisfaction? What is their experience and background in corporate data and network security?
- Downtime reports and frequency. How often does the company’s servers experience downtime? Will they make their downtime reports available to you so that you can investigate the reliability of their network? Do they have systems in place to ensure that your data is secure and that no unauthorized users will have access to your account both during and after the downtime periods?
- Cyberattack defense. It’s inevitable that cloud computing is the next great frontier for cyberattackers salivating over the vast amounts of sensitive information concentrated in a relative handful of services, all available on the web. How does the provider plan to address potential cyberattacks, because it’s only a matter of when, not if, they’ll experience a hacking attempt on their network?
This list is just the beginning. The best cloud computing providers spend the majority of their waking hours – and I’d be willing to bet some of their dreaming hours, too – thinking about security issues and how they can be proactive in the face of increasing threats that can potentially compromise their clients’ business and destroy the trust and faith that they’ve built with their audience. It’s an ongoing conversation that we at Mothernode are excited to be a part of, and one that will be consuming our industry for the foreseeable future.