Probably the most common reaction people have when they first hear about cloud computing is to wonder whether or not it’s safe. We’ve spent years being told to be careful online, to keep our data safe and our passwords complicated. So when someone recommends that we put our most valuable information ‘on the cloud’ it sounds like a terrible idea.
If you felt that way, or still do, don’t let anyone make you feel like you aren’t technically savvy. You’ve absorbed one of the most important lessons from the IT revolution: security matters.
There are risks to using cloud computing, but there are also risks to storing information on your own system. The reality is that you can’t eliminate security risks, but you can minimize them and you can balance your risk with expected returns.
What are you afraid of?
Before deciding whether cloud computing is right for you, you need to stop and identify what risks you are exposed to. Hackers and computer viruses get the big headlines, but plenty of people have lost important data because their system crashed and they had never made a backup. Unplanned downtime, even when data is recovered, could mean a missed deadline and a lost client.
Depending on your industry, there could be other specific threats that need to be accounted for. Data security isn’t just a matter of preventing malicious attacks, you also need good procedures in place to prevent the casual, careless problems that can be just as costly to your company.
So is cloud computing more or less secure?
It’s impossible to give a single answer for everyone. A better question is – who best meets your security needs? If you are a small company without an IT department you may struggle to keep up with the latest exploits and security best practices, while a multinational has the resources to create their own internal cloud platform, and being a more visible target means their security concerns are greater, another reason for them to be cautious. As another example, the US government encourages its agencies to use third-party cloud providers extensively to cut costs – but they aren’t storing nuclear secrets on Amazon Web Services.
If you’re an SME outside the IT sector, chances are you’re better off working with a cloud provider than trying to do everything yourself . If you have information that you consider to be truly confidential then you might want to keep that on an internal network (and talk to a security auditor about how to keep it safe), but you can trust a reputable provider with everything else.
How do I assess cloud security?
But that leaves the big question: how do you find a reputable cloud provider? If you had the technical expertise to evaluate a cloud platform’s security protocols, you probably wouldn’t be reading this blog (and I would probably be reading yours). That’s why I recommend people start their search with the Cloud Security Alliance’s STAR program (Security, Trust, and Assurance Registry). Company submissions are called Consensus Assessments Initiative Questionnaires or just CSIs, and they’re a pretty dry read, but they are also very explicit. You’ll want to have your head of IT (or a trusted techie) nearby to help you with some sections, but comparing the CSIs from different companies will give you a good sense of who is working hard to protect their clients.