One of the hottest debates in the information technology community today centers around cloud computing. Proponents suggest the flexibility, scalability and economics of the cloud make it a logical choice, while opponents point to security and privacy concerns as reasons not to move to the cloud. From the perspective of a company focused on providing secure information technology solutions to large, very security-conscious customers, we believe it is possible for small to mid-sized organizations to have the best of both worlds: the benefits of the cloud can be affordably attained in a way that does not jeopardize an organization’s security.
Security is the big argument against cloud computing these days. However, one might argue that cloud computing can actually be more secure than locally managed systems, particularly for small to mid-sized companies. Here are a few specific examples:
Multifactor authentication: A number of cloud computing vendors now offer multi-factor authentication as part of their service. Multi-factor authentication is much more secure than the more traditional user name and password authentication convention. Instead, multi-factor authentication systems combine something you know (password), with something you have (hard token), and/or something you are (biometric). Unfortunately, many small and mid-size companies don’t have the resources (skills, time, or money) to implement such authentication capabilities on their own.
Security patching: Many software products that we use everyday require diligence when it comes to applying security patches and testing these patches to make sure they were properly applied. Again, many companies do not have the resources to adequately perform this complex and time-consuming task, which puts their systems at risk. As we are seeing in the news with malware and cyberattacks like Stuxnet, hackers typically feed on known vulnerabilities, often more than a year old, that have not been patched.
Physical security: Reputable cloud computing vendors often host their systems in facilities that have much stronger physical security controls with meaningful certifications that many small-to-midsize companies cannot provide on their own.
Security certifications: Many industries require IT systems and facilities maintain certain types of information security and/or privacy certifications. For example, compliance with the Federal Information Security Management Act, or FISMA, is required for the federal government while Health Insurance Portability and Accountability Action (HIPAA) compliance is required for the healthcare industry. These certifications can be prohibitively expensive for smaller organizations to achieve; however, many cloud vendors provide access to systems and facilities that are already certified. Even if your business does not require a certification, it may be comforting to engage with vendors who offer them as it demonstrates mature business practices as it relates to information security.
Other security considerations
Despite these security benefits that are typically associated with cloud computing, many companies are legitimately concerned with how and where their data is stored. Concerns about reliable access, data back-up, physical location (e.g., off shore), encryption at rest, etc. are unique to each customer, the industry vertical and other unique requirements. In situations where data is not sensitive, many of these concerns do not apply. However, many companies will indeed care about how their data is stored and managed. In fact, certifications as described above may be required to ensure certain practices are in place. All of these issues can be adequately addressed by cloud computing vendors in the form of customized offerings, e.g., private or hybrid clouds where customers have more control, financially backed service level agreements, and/or evidence of security certifications. However, in the end the pressure is on cloud computing vendors to convince customers that they have adequately addressed such concerns.
The cloud offers economies of scale
Due to the pervasiveness of IT and the essential role it plays in running our businesses, it might make sense to view IT as a utility, rather than a dedicated capability. Much like other utilities such as power, and water, IT services might also be centrally managed and maintained for improved service and lower operating costs. Cloud delivery of IT services, like other utilities, offer economies-of-scale. Everyone agrees that our IT systems must be scalable, reliable, and secure. However, due to the increasing complexity of IT systems and cost of skilled IT staff it is difficult for many companies to provide scalable, reliable, and secure IT services on their own. Many companies simply cannot afford to purchase all of the hardware/software and hire all of the specialty IT personnel needed to establish and maintain a dedicated and locally managed IT infrastructure that is scalable, reliable and secure. Cloud computing vendors have the ability to invest in the requisite staff, resources and facilities, allowing customers to pay only for what they use instead of making large up-front investments in dedicated resources that must be managed and maintained over time.
Internet banking is an interesting comparison for the current cloud computing conundrum. That is, security concerns were also an inhibitor for on-line banking adoption, which was a precursor to cloud computing back in the mid-90s. Banks addressed the security concerns and now it’s difficult to imagine a world without online banking and other forms of online financial transactions. Similarly, as cloud computing vendors continue to address market concerns about security, the economics and convenience of cloud computing will make it commonplace…just like online banking and other online financial transactions are today.
Despite the convenience and economic benefits, cloud computing may not be for everyone. For example, from a security and risk perspective, cloud computing may not appeal to organizations that have highly classified missions and/or extremely sensitive data. However, for most, the security advantages of cloud computing described above coupled with the ability to create private clouds (allowing customers to control who is in the cloud, where data is stored, who has access, etc.) should offer the security assurances needed to satisfy most organizations.