Thursday, January 31, 2013

Cloud Security Concerns Are Dead...

Charles VI the Mad
Cloud Security Concerns Are Dead! Long Live Cloud Security Concerns!

By Randy Davis, VP Sales & Marketing Operations

Way back in 1422, seventy years before the discovery of America by Columbus, the French king, Charles VI, died. Upon his passing, the phrase Le Roi est mort, vive le Roi! was pronounced to indicate the immediate and unbroken transition of sovereignty from the dead king to the new king, Charles VII. The saying, "The King is dead, long live the king," was so powerful that it has been borrowed by other royalist nations to note the transfer of rule from a newly deceased monarch to the living one.

However, the saying did not assume that the manners, customs, priorities, principles or laws of rule would remain the same. The new monarch had, let us say, flexibility. Even so, the past is not easily resisted.

It's the idea of continuity that interests me as we transition from the perception that (at least for many IT practitioners) concerns over cloud security still reign supreme, to the idea that (for others) those concerns belong to the previous regime, and it's time to move on to less resolved matters such as how to make sense out of big data. The questions before us are these: are security concerns about cloud-based storage and computing providers alive and well, or should such concerns be relegated to the past so that we can devote our resources to truly unresolved problems?

I think the answer is Yes... and Yes.

Perception Vs. Reality

The fact is security is still the top concern preventing the adoption of public clouds. Of the 27% of respondents to the InformationWeek 2012 Cloud Security and Risk Survey that have no plans to use public cloud services, almost half (48%) cite security concerns.

In a recent Federal Computer Week cloud computing report sponsored by Brocade, the resistance to cloud computing was compared to that of opening a bank in the Wild West during the 1800's. In a time when people kept, protected and controlled their own money in their own "mattress safe," the idea of some newfangled bank providing those services seemed highly risky. Can the bank be trusted? How can I get to my money? What keeps someone from walking in and pretending he is me? What if the bank is robbed or fails? Over time, however, as people began to use banks to protect their money, banks proved trustworthy, and their use became ubiquitous.

Although the period of westward expansion in American history was a time of tension and uncertainty for frontier banks, most banks were more than capable of providing vaulted, secure financial services.

Still, many people were reluctant to give them their money, preferring to keep it under the mattress, and under their own control. The mattress model, however, proved to have the highest risk of all because of fire, flood, storm, accident, loss or theft.

For many IT managers and executives I think this illustrates where we are today as we transition from the on-premise, institutional, ad hoc "mattress" model of protecting information to the specialized cloud-based "bank" model. It is my conviction that, just as people have come to trust banks with their most valuable financial assets, they will inevitably come to trust specialized cloud-based providers with their most valuable information assets.

Actual Risk Vs. Perceived Risk

The dichotomy in opinion about security between those who use cloud storage and those who do not could not be better illustrated than by the following: when asked* if cloud storage improves data protection for disaster recovery, two-thirds of actual cloud storage users responded yes, while only one-quarter of those who do not use cloud storage responded the same way. Clearly the experience of actually using cloud storage services informs a different opinion of their efficacy.

For me, concerns about cloud security fall into two camps:
  1. Concerns that are legitimate and necessary and belong to any data protection scheme 
  2. Concerns that are dated, irrational or fail to recognize genuine progress or proven solutions 
That's not to say that all cloud providers are alike in scale and quality of service. Nor do they need to be. There is specialization in cloud storage services depending on need, use, and levels of security (within security I include transport, authentication, redundancy, ratings, facilities, segregation, certification, compliance, etc.).

I understand the "better safe than sorry" mentality that accompanies a move from a long-standing, well-proven solution to a solution that is being proven, and that mitigation of risk is a job-saving responsibility of IT practitioners. I also understand that, at some point, the risk is inverted. Holding on too long to technology or practices that have been superseded, irreversibly begins increasing the risk on the other side of the question. Who would now argue that a mattress is safer than a bank, or a filing cabinet is safer than an encrypted, replicated disk drive?

Warehouse Vs. Bank

Some cloud providers offer warehouse services that effectively provide a sheltered, even guarded, place to store things -- anything -- pictures, videos, music, documents and so on. A warehouse may have plenty of locked doors, a safe, a guard or two, and an alarm system, so to speak, but it's still a warehouse, and they'll let anyone store stuff there. You wouldn't want to store highly valuable or highly private information there, especially if you were legally liable for its security and privacy protection.

Other cloud providers offer an altogether different category of secure storage and management, more like a bank that provides reinforced steel doors, vaults, safety deposit boxes, government regulation and compliance procedures and facilities, certifications, financial services best practices, and so on, all specifically designed to provide the highest degree of protection of highly valuable assets.

There are some very good cloud "warehouse" providers (Dropbox, Box, Google Drive, SkyDrive, etc.), who provide an excellent, if limited, service.

There are other cloud "bank-vault" providers (such as eGistics) who have built their entire service model around securing, protecting, and replicating highly valuable, highly sensitive data.

Using eGistics as an example, because we provide cloud-based services for financial institutions and health care organizations, we are more akin to a vault within a bank rather than a safe within a warehouse. As a result, our concerns, responsibilities and capabilities are different and significantly more stringent, and our infrastructure more secure. Whereas a warehouse safe can provide a degree of safety and protection, it is still a safe within a warehouse, and not a vault within a bank. A safe within a warehouse does not come with the same protections, barriers, restrictions, alarms, monitors, authentications and governing agencies that a vault within a bank does.

My point in this article is that arguments suggesting that cloud technology and security are sub-par compared to on-premise solutions are getting a bit long in the tooth, and too often use the failures of warehouse-type cloud storage providers to argue against any cloud storage as a viable solution for financial, governmental, or health care information.

So, now I'm back to my point that the continuity of ideas and practices from one regime to another can be debilitating -- especially within the dynamic and evolving arena of technology and technological leadership.

I suggest that we are in a period of tension between the time that IT practitioners are unsure that cloud security has been sufficiently addressed, and the time they recognize that it has been. When cloud security is fully embraced, however, IT managers still need to appreciate the difference between a warehouse and a bank.

Let me know what you think about cloud security.

* "A Snapshot into Cloud Storage Adoption," TwinStrata white paper, updated January 2013