by Marc Clark, director, Cloud Strategy and Deployment, Teradata Cloud Solutions
And with all the high profile data breaches in just the past 12 months, who could blame them?
With that said, is their cloud security fear backed by reality? The fact is that when one thinks about data breaches, not a single breach that comes to mind was actually a cloud breach. Even that now-famous celebrity iCloud photo scandal was because hackers specifically targeted certain people and guessed (successfully) their username and password information – not because the iCloud service itself was hacked.
Might this mean that the cloud is actually a safer place for data than in an on-premises deployment? Maybe so.
Consider this: most major cloud providers are putting themselves through rigorous audits to validate compliance with security standards such as ISO 27001, SSAE-16, PCI, HIPAA, FedRAMP, and others. To pass such audits, a cloud service provider must prove that its security policies meet or exceed an exhaustive list of controls and policies.
Now ask yourself this: do your on-premises datacenters and the systems deployed in those datacenters have the capabilities to pass the same types of audits listed above? Are you sure? How do you know?
I think it is a legitimate question. If a cloud provider can meet more, and possibly stricter, security audits than your on-premises deployments, hasn’t cloud security ceased to be a legitimate excuse for not moving to the cloud?
The way I see it, many of the people holding out on moving anything to the cloud are actually confusing control with security. They seem to feel somehow that if systems are on-premises and under their visibility and “control” that they necessarily have better security.
However, location of data does not equate to security. Access and the controls around data are immensely more important than location. And although champions of on-premises systems have the best of intentions, often they are not afforded the budget or resources that major cloud providers have to secure and monitor their environments.
If you think about it, it makes perfect sense. If a retailer has a data breach, maybe some people don’t shop there for a few weeks or months. Or maybe customers start paying in cash more than by debit/credit card. So although security is important to these types of companies, the fact is that until they have a breach that costs them WAY more than they would have ever paid for better security, they typically aren’t putting the money and resources needed to really stay ahead in the security game. The insurance is considered more expensive than the risk.
But for cloud providers, though, their product IS the cloud – not hammers or hobby crafts or paper towels. The truth is that if a cloud provider has a security breach, trust is lost in their core product, full stop. And it is hard to recover that trust. Therefore, securing their product – the cloud – should and in most cases does, get the money and resources it needs.
With all that being said, there are a couple things I want to make clear. First, yes some companies are putting sufficient resources and money into data security. However, in my experience of selling, marketing, and consulting for almost 20 years to both large and mid-size companies, the companies that put their money and resources into data security are the exception, not the rule.
Second, don’t blindly assume that every cloud provider is doing what is needed for data security. Never assume! It is vital when engaging with any cloud provider that you review their security policies and that you ensure they have all the regulatory audits that pertain to your industry.
Also understand that not all certifications are done at the same level. For example, a PCI audit against IaaS is different than one done against PaaS or SaaS. Just make sure you recognize the differences and clearly delineate where your cloud provider’s security responsibilities end and yours begin. I pity the person who leaves a gap!
Ultimately, you have to feel as though your cloud provider will take care of your data as well as, or better than, you will. And this is a question of security, not one of control.
It’s time to stop assuming that the cloud is a less safe place to put your data than in an on-premises system. That ship of excuses has sailed.
If you want to learn about applied best practices, certifications and ongoing audits for security for data warehouse and analytics, I suggest you check out this paper