Some Think Cloud Security Superior to In-house Data Centers



For some in-house data centers,
the data horse has already left the barn!

Randy Davis, VP eGistics

I just attended a panel discussion Webinar titled, "Ready for Cloud Storage? Key Considerations and Lessons Learned,"  hosted by SNIA, Cloud Storage Initiative.

The panel included Kipp Bertke, Manager of Infrastructure & Operations at Ohio Department of Developmental Disabilities; Ajay Chandramouly, Cloud & Data Center Industry Engagement Manager at Intel; and Nathan McBride, Executive Director of IT at AMAG Pharmaceuticals.

The discussion was meaty and substantial (you can find it here: http://www.brighttalk.com/webcast/679/27865), but the comments by McBride were downright breathtaking. I would say that he and I had been reading the same articles, but his comments were based on hard-earned experience rather than ivory-tower theorizing.

I was so impressed with his views that I am going to quote him as best I can, and quite extensively, in this blog entry.

The following comments from McBride are in response to my question, "Are cloud security concerns qualitatively different than those for on-premise solutions?" Although the question was misinterpreted to mean security differences between public and private clouds, rather than between cloud solutions and in-house (non-cloud) solutions, McBride's answer was spot on.

“Security is always a concern of mine. It brings me to questions I have to ask myself, and they are 'What is the best possible data center I could build? What’s the most amount of security I could put into it, and how much would that cost me?' I realized that the cloud storage vendors I selected had spent five times that much, or a hundred times that much, to build their data center. So there’s nothing I can do that would even come close to the security offered by my vendor for a low service cost.”

Then he addresses the trust issue head on. Can you trust cloud storage service providers?

"People say, 'Well, what about the people at the data center that is hosting your data? Do you trust them?' Well, I trust them just as much as I trust my own IT employees. The only way you can ever be secure is to remove people. Since I can’t remove people from the equation, I have to trust that at a certain level the companies I want to do business with want to keep doing business with their customers, so they’re going to employ best methods, best practices, and the best people to manage my data. And I don’t just trust that. I also verify through SAS70 certifications, on site audits, things like that. But I do feel comfortable and secure knowing that the companies we are doing business with have employed security practices that far exceed anything I could manage to put together."

McBride went on to discuss some of the data leaks common to in-house data centers, things like non-secured flash drives, data that is copied to dozens or hundreds of PC hard drives, data sent to casual, personally controlled file storage services such as Sky Drive and Google Docs, and so on. His point is that you have to consider the real risks, costs and vulnerabilities of in-house data center management, and realize that, for most companies, it's no Fort Knox for data. On the other hand some cloud storage service providers have gotten real close to Fort Knox-like security.

This Webinar is worth your listen.

Security in the Cloud: Don't Let It Stop You

by Randy Davis, Vice President, eGistics

The primary reason companies cite for not taking advantage of Cloud services is concern about security. So it comes as a bit of a surprise when security analysts say, "Don't let security concerns stop you from migrating appropriate pieces of your IT operations to cloud-based services," as they did in a recent InformationWeek Analytics report of Cloud Security (5 April 2011). Of course this advice comes with fair warning about doing your homework, and hinges on the word "appropriate."

The authors of the report point out that better security is not a reason to move to the Cloud, but undue concerns about security is not a reason (in many cases) not to, either. Still, in a recent survey, 53% of 208 respondents not planning to move to the Cloud cite security as a primary reason for not doing so. The InformationWeek Analytics report suggests that their concerns may be misplaced, and based on old data.

The fact is, remote hosted services have been around for years, hosting billions of items of data for highly security-sensitive companies (like financial services companies processing check and credit card transactions) and doing so in a proven, secure environment. If financial processors trust your transactional payment data to the cloud, why wouldn't you trust, say, your business forms to the cloud?

Some Cloud providers can provide better security than you can, believe it or not. They've already addressed, through extensive cost, time and effort, the requirements of the Payment Card Industry, or SAS70, or HIPAA.

So the report concludes, it's not a matter of whether the Cloud is secure, it's a matter of (as in any business environment) whether your chosen partner has adequately addressed your specific security concerns. You may be pleasantly surprised to learn that they have.

Let us know if you agree, or whether you have security concerns that cannot be addressed by Cloud service providers.