One of the biggest obstacles to Cloud Computing is perceived security risks. Despite Cloud Computing’s maturity, many organisations are just beginning to consider it, and are either concerned or outright worried, as they are unfamiliar with it. I’d like to address three points: the perception that cloud computing is foreign, real vs perceived risks, and the dual nature of genuine security.
You already use cloud computing…
First, most people currently use cloud computing but are often unaware of this, as it’s not labeled as Cloud Computing. You use cloud computing if:
- Your have online banking. HSBC, Barclays, Lloyds, etc. all use web-based cloud computing.
- Your have voicemail, either for your mobile phone or BT landline, as that is a basic form of cloud computing.
- You use any number of online backup services like iDrive, Mozy, Dropbox, etc.
- You watch video on YouTube
- You use gmail, yahoo, hotmail, or any web-based email from a major provider
- You have an account with LinkedIn, Facebook, MySpace, etc.
- You store your photos with Flickr, Picasa, oPhoto, etc.
While not labeled as such, the above are all examples of Cloud Computing.
We don’t know what to be afraid of…
Our fear is often based on what makes the news and what we are told. Both of these things require a certain level of sensationalism for information to be passed on.
For a great explanation of how we perceive danger vs. actual danger, Dan Gilbert dips into human psyche. The relevant bit is from 4:30 (queued up already) to 6:01.
You will hear news stories of cloud computing scares, but you will never hear the most common security issue: laptop (or smartphone) lost or stolen. Cloud computing is sexy, and is also a bit scary because it’s new. Loosing a laptop is mundane. Which do you think is really the greater risk?
Security has two dimensions…
Security needs to do two things:
- Keep secure information out of the hands of strangers / untrusted people
- Keep secure information available and accessible to trusted people
Most people focus on the first one, but the second one is perhaps even more important.
Now let’s take a look at the most common security issue – a laptop computer (or smartphone) is stolen. What do the thieves have access to?
If this is my laptop, I’m seriously annoyed because I have a Macbook Pro, and they aren’t cheap. But as for my data?
- My email and calendar and documents are in Google Apps and I reach them via the web interface. As I tell Google to keep me logged in for two weeks, I would simply log in to Google Apps, change my password, and voila, zero access.
- All my client information is stored on Salesforce, not my laptop. I don’t even need to change my password because Salesforce logs me out after a period of activity, though I’d change it just to be sure.
- My internal financial information is stored in Xero and HSBC. Again, Xero’s period of inactivity is so short nothing would be at risk, but just in case I’d change my password. HSBC would require they also steal my key fob, so absolutely zero risk there.
What would the theives have acces to? A couple thousand photos from my vacations which I have backed up, and my collection of music (and I apparently have bad taste, so no real loss there either).
The same goes for all the laptops and desktops in my organisation. No matter what happened, we would retain access, and the thieves wouldn’t.
Where is your data now?
Most people concerned about security have their data on a server. It’s generally under the bosses desk, in a closet, or possibly even in an IT room. Remember, passwords are useless if there is physical access. Just remove the Hard Drive, access it from another computer, and you will have 100% access to everything.
So, who has physical access to your data? (I’m not saying these people would access it, but they easily could)
- Every single one of your employees
- Probably your old employees if they have an old set of keys
- The cleaner (who is usually there completely alone)
- Anyone else who has access to your office, such as landlord, contractors, security, etc.
- Anyone who is inclined to break in
And are you completely confident that if your server was taken, your backups would restore everything?
Ultimately, people need to make a rational decision about risk. The challenge is that risk is based on emotional perceptions, and we are all human. I completely understand when people are hesitant – anything new, unfamiliar and foreign deserves extra scrutiny before entrusting it with your organisation’s data. My recommendation is to conduct enough research to satisfy yourself one way or the other about Cloud Computing’s security. That’s all anyone can do.