By Need

By Industry

By Function

Cloud Enablement & Operations

Is the Cloud the Next Iteration of Data Security?

Sitting in a meeting with a partner of ours, who provides cloud-based desktop and application services, I was struck by a statement by one of the company founders.  He said “Yes, we provide customers with an efficient way to access their corporate data, consume application resources in the cloud, and drive down costs.  But I’ve always maintained that our number one value to our customers is that we protect and secure their data.”

An interesting take, considering that the #1 concern many have over using cloud services is the protection and security of corporate data in these multitenant, shared platform environments.  His contention is that with a company’s data and access tightly controlled via a defined set of technologies, protocols and service level agreements, the chances of leakage are vastly less than in the traditional LAN environments.  And, I have to say, it makes a lot of common sense. 

Keeping control of your intellectual property and private dataset is a challenge that goes back to the Stone Age.  Man guarded any information that may affect his ability to survive, such as the location of good hunting grounds or where drinking water could be found.  He did this by keeping the knowledge to himself and passed it down by word of mouth to the next generation.  In this manner, the information could not be stolen or misused, unless that next generation chose to do so.

Early libraries were a way of controlling access to information and knowledge, by centrally locating the data and putting protections around it.  Even today, public libraries have safeguards that require some form of identification, and they maintain records of access. 

In wartime information that needed to be secured but also distributed lead to the evolution of coding and cyphers.  Codes could be broken through brute force or via defections, and so the need for constant monitoring and evaluation of the validity of the coding process was instituted.  In this way, data no longer had to be centralized to be secured. 

Unless everyone in your organization has a photographic memory, you have to put your trust in external solutions at some point.  Think about your current “private” network.  You rely on various technologies to provide protection:  your firewall, AV/Malware scanning, disk encryption and device access control, etc.  But are those solutions really YOUR solutions?  Did you write the code and create the protocols?  No, you selected a set of solutions that mapped best to your own requirements.  Sure, you have the ability to adjust and modify, to some degree, the configuration and implementation of these controls.  But it eventually comes down to trusting in the creators of the solutions.

Even in today’s most sophisticated environments, the risk of exposure is ever present.  I recently read an article about the infection of exclusive networks controlling the Air Force drone fleets.  While the networks are encapsulated, mobile drive devices were used to move data out and back into them.  So, while the technology used to secure these networks was sophisticated (and I’m sure VERY expensive), it all came down to a PIC (problem in chair) event.

Your “private” network is mainly made up of a mixed bag of components that all have their strengths and weaknesses.  Not to mention that you put that technology directly into the hands of a group of users who may or may not have your best interests at heart, or who may become disgruntled, dissatisfied or persuaded to violate your trust in them.  So, keeping that in mind, if you were to physically remove the data from the people, isn’t that inherently more secure? 

As we have progressed technologically, the ways we protect our data have had to evolve, but the basic principles remain the same:

Identify the risks

Define what techniques are necessary to provide protection

Enable access only to those required

Negotiate penalties and punishments

Test your security measures

Investigate breaches

Train your people

Yesterday’s solutions are today’s vulnerabilities (ok, a little weak but I need the Y…)

The argument’s pro and con on the ability to secure data in cloud solutions will probably go on forever.  Every breach will probably lead to wails and protests amongst the detractors.  See, they will say, you can’t secure what you don’t control.  Trust no one but yourself.

Some of the greatest breaches (per have been made on data assumed to be secure because it was on a corporate controlled system when stolen:  Heartland, TJX, Sears, CardSystems.  Have these breaches greatly altered the way we conduct business today?  If you think so, ask yourself these questions:

Do you still use credit cards at retail stores?

Do you bank online?

Do you only pay government fees with cash?

EZPass anyone?

The moral here is that you trust the security partners and vendors whose products and services you utilize on your private network.  AND you trust your users not to abuse the confidentiality assumed by their employment.  The basic principles of security are not foreign ideas or technological impossibilities in the cloud space.   Do your homework, trust in your selection process, and think of how to utilize cloud services to enhance your data protection and security profile. Your thoughts?

A backlit keyboard.

Geoff Smith

Sr. Practice Director | Modern Workspace & Managed Services

Geoff has more than 30 years of experience working in all verticals and markets, from the SMB to the enterprise, focusing on the application of IT solutions that enable businesses to achieve their goals. As Practice Director of Managed Services and Modern Workspace, Geoff is focused on the development of co-sourced and federated Infrastructure Operations, Help Desk, Cloud, and Security Service Frameworks designed to optimize IT operations and drive economic value to the business.

Geoff helps develop new services and marketing strategies for the company, as well as provides strategy and support to GreenPages’ key clients. Prior to GreenPages, Geoff was the Director of Client Services for Managed Technology Partners, where he was part of an overlay team that architected a new services methodology, marketing strategy, and client acquisition model. Geoff’s professional certifications include CCSP, MCNE, and VTSP. Geoff earned a BS in Computer Science from Westfield State College.