Who still keeps money under their mattress? The case for cloud security

There's so much fear, uncertainty, and doubt about the topic of security in the cloud that I wanted to dedicate a post to the topic, inspired in part by the security-related comments to last week's post.  

Let's start by acknowledging that, yes, technology can fail.  But this happens regardless of how it is deployed. Massive amounts of data are lost every day through the failure of on-premise technology.  Anyone who's worked at a big company knows how often e-mails or files on your local or shared drives are lost or corrupted.  Or how easy it is in many  companies to plug into their network without credentials.  And this doesn't even take into account the precious data walking out the door every day on thumb drives and lost or stolen laptops.   But these incidents are primarily kept quiet inside company walls, or worse, not even noticed at all.

When public cloud technology fails, on the other hand, it makes headlines.  That's part of what keeps the leading cloud providers at the top of their game.  Cloud leaders such as Salesforce, Amazon, and Google spend millions of dollars on security and reliability testing every year, and employ some of the best minds out there on these topics.   The public cloud providers' business absolutely depends on delivering a service that exceeds the expectations of the most demanding enterprises in this regard.  

Mattress

The fact of the matter is your data is probably safer in a leading cloud platform than it is in most on-premise data centers.  I love what Genentech said at Google I/O: "Google meets and in many cases exceeds the security we provide internally"

For some people data just "feels" safer when you have it in your own data center (even if its co-located), where you think it's under your control.  It's similar to keeping your money hidden under your mattress.  It "feels" safer to have it there in your bedroom where you can physically touch and see it.

That feeling of security is an illusion.  That's why public banks exist -- it's a much safer place to keep your money even if the occasional bank robbery makes headlines.  Examining why banks are safer sheds some light on the topic of security and the public cloud.  Consider these three reasons:

  • Expertise: Banks are experts at security.  They hire the best in the business to think about how to keep your money safe and (hopefully) working for you.
  • Efficiency: Even if you knew as much about security as your bank, it simply wouldn't be efficient for you to secure your bedroom the way banks can secure a single facility for thousands of customers. 
  • Re-use / Multi-tenancy: Both of the above arguments also apply to "single tenant" safety deposit boxes.  But there's an additional benefit to putting your money into a checking account, a "multi-tenant" environment where your money is physically mixed together with everyone else's.  Here, the security of your individual dollar bill isn't important -- what matters is your ability to withdraw that dollar (+ some interest!) when you want.  
Of course, one of the reasons we feel comfortable putting our money in a bank is that it is insured -- a level of maturity that hasn't come to the public cloud yet.  But remember, your on-premise technology doesn't come with any sort of insurance policy either. When you buy a hard drive, there's no insurance policy to cover the business cost if you lose the data on it. You may get your money back (or at least a new hard drive) if the one you buy is defective, but no one is going to write you a check to compensate you for the productivity or data lost.

How do companies handle this risk with their existing on-premise technology? They take reasonable precautions to prevent the loss (e.g., encrypting data, making backups) and then do what is referred to as "self insurance." They suck it up and get on with business.  And that's exactly what you have to do in the cloud today as well -- self-insure.

But that's today -- the public nature of the cloud drives a much faster rate of innovation around security than we've seen with on-premise technology. Gartner predicts "cloud insurance" services will soon be offered from an emerging set of cloud brokerages, a topic that I've blogged on in the past.  Two-factor authentication is sure to be standard on cloud applications before on-premise applications.  And any improvement in a cloud provider's security is instantly available to all their customers because everyone is on the updated version.

So where are you going to keep your most precious asset ... your company's information? Under a mattress? Or in a bank with top notch security?  Enhanced security is rapidly becoming a reason to adopt cloud solutions, despite all the F.U.D. to the contrary.

Ryan Nichols is the Vice President of Cloudsourcing and Cloud Strategy for Appirio.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon