Photo Credit: kennysarmy via Compfight cc
Over the last few years I’ve had many conversations about the cloud in all its forms with businesses large and small.
In large businesses with lots of security-savvy staff, our conversations are rarely about whether their information held in the cloud will be secure per se. They have well developed policies and strategies for Information Security, Data Governance and Disaster Recovery policies; what they want to know is that a policy can be maintained for the information that will now be held and/or used in the cloud. The conversation is as much about how to prove policy is being adhered to, both internally and often to regulators, as it is about the “nuts and bolts” of the security controls themselves.
The more challenging conversations for me though are those with small businesses. I’ve lost count of the times I’ve been told that they “don’t trust someone else with my data” and “it’s safer at home/ in my office with me”.
For me, it’s analogous to keeping your business takings in the mattress because you don’t trust the banks, and you can’t afford a safe of your own!
Do you Own A Safe?
If you had in-house IT staff, a data centre, off-site back-ups and disaster recovery. If you had an information security strategy, authentication and encryption, and myriad other controls over your sensitive data, and a Network Operations Centre watching over all of that then, in my analogy, you’ve got yourself the equivalent of a decent safe.
You’ve built a stronghold in which to keep your information, you have controlled access to who can get access to it, and, assuming you have one of those fancy safes that can withstand fires, explosions, and the advances of all but the most advanced thieves, you’re protected from most physical threats that could render your information lost, breached or unavailable. It’s a good solution, but it’s expensive, and it’s out of the reach of most small businesses
What if you handed much of the responsibility over to qualified people for whom any data loss or data breach could be as serious for them as it is for you. To an infrastructure that removes your reliance on ANY of the physical infrastructure in your home or office in order to deliver business continuity? This is what we do every day with our money – we place it in the hands of a service that can protect it and deliver it back to us, on demand, as required. Indeed more than that, as our businesses have grown, we become more reliant on the bank for providing this service, not less. Let’s also not forget that the vast majority of “money” in the system is in fact digital itself – zeros and noughts held in data centres…
Small businesses do not have in-house expertise. Doing back-ups each night and buying a “really good” server does not protect you from them being stolen. Your security defences will be weak at best to any but the most novice of hacker. Even if you do save the backup disks from a fire or theft, can your business survive long enough for you to replicate the physical infrastructure and software applications to restore them to?
So I ask you, if you’re a small business who can only afford a mattress, where do you think your data is better protected?
OK, what about the current state of the banking industry I hear you cry? True, there have been issues of late, but I contend the analogy still holds true. You still own your data, as you still own the money in your bank account. You should choose your cloud provider as carefully as you choose your bank, and you should ensure portability of your information between them. Any which way, it’s still in better shape than stuffed your mattress.