In association with new online publication Cloud Magazine, Giacom looks for a cure for Nephophobia (fear of clouds) in this persuasive view of cloud IT security…
How to cure Nephophobia (fear of clouds)
by Louis Nauges
Is the Cloud secure? It is more secure than any traditional IT solution available today. The Cloud is the safest option for IT available today for any organisation, small or large, public or private, in the US or anywhere else.
This article will focus on the security of Public clouds, in the context of the current Cloud IT revolution which began in 2010. Most of the security questions asked by IT Professionals and Managers are focused on the “lack of security” in public cloud compared to private clouds. I will argue that public clouds are much safer than private ones.
I prefer to use the Cloud IT rather than Cloud Computing because it covers a much wider family of solutions and tools. In this text, Cloud IT will refer to:
- Public cloud infrastructures: Google, AWS, Microsoft Azure
- Real multi-tenant SaaS applications: Google Apps, Salesforce. Com, Successfactors
- CCD (Cloud Connected Devices): any smartphone or tablet that allows access to SaaS (Software as a Service) applications from a browser without the need to install an application on the device.
Do you know of any activity which is 100% safe? Driving? Flying? Eating? Sleeping? Walking? Playing Golf? I don’t. Over the last three years, at every Cloud conference I have attended as a speaker or a participant, security was on the agenda. Additionally more sessions at these conferences were dedicated to the topic of security than any other topic. You really needed a healthy dose of optimism to return from these conferences without a negative view of Cloud IT and to prevent yourself from transforming into a “Cloud hypochondriac”. My hope is that after reading this article, you will be less Nephophobiac and more Nephophile!
Public Cloud vs Private Cloud
It’s fascinating to listen to so many CIOs and vendors, praising the virtues of private clouds when nobody has seen one! They are like the Yeti, everyone talks about it, but nobody has ever seen one. I will use “private cloud” as a synonym for a Corporate DataCenter or traditional, locally hosted, IT solutions. This classification is great news for CIOs! Their old data center has been upgraded to the status of “private cloud” at no additional cost.
Public clouds are managed by top tier professionals in world class organizations like Amazon, Google or Microsoft, and they’re used by hundreds of millions of people. How can IT security specialists compare the security of public clouds to the security of “private clouds” maintained by smaller teams of, by definition, less talented professionals? I don’t have the answer to this simple question.
Fear of innovation
Innovation is the harbinger of fear. Cloud IT is a huge innovation Impacting all facets of the IT industry and IT teams within Organizations. FDR (Franklin Delano Roosevelt) may as well have been speaking for IT managers and CIOs when he said; “The only thing we have to fear is fear itself”. It is the same for nearly everyone when they fly or drive a car for the first time. The fear is understandable. That same fear arises when you confront any big change, including a game changing technology like Cloud IT. In fact, a reasonable level of fear is healthy! As you push the limits of your fear and get comfortable enough to regularly fly, or you lose your driving jitters through practice and experience you realize that those activities can literally take you farther. A reasonable level of fear leads the Cloud IT Managers I have met to perform due diligence on security: testing and probing their Cloud Provider’s ability to secure their data. Once this due diligence is complete, they come to the same conclusion I did (Cloud IT is the safest option for IT) and they can move forward with the Cloud IT adoption – taking their organizations further.
The real problem lies in people carrying an unreasonable level of fear. This unreasonable level of fear derives from two sources:
- Lack of knowledge: this is easy to solve and I have explained to numerous senior executives and IT managers why Cloud IT can be the safest solution for them when implemented properly.
- On-premise IT vendors, and in-house IT professionals: this group of people are well aware that Cloud IT is a serious threat to their business and/or their employment. And as a result they cultivate a culture of fear propagating the Nephophobia virus. They aggrandize each negative Cloud IT incident to bolster their argument that the Cloud is dangerous, taking advantage of the transparency of Cloud Providers in the process. It is important to note that this transparency does not exist with private clouds (in-house IT operations) where information is spun and censored and incidents are swept under the rug.
Cloud IT will have a profound impact on most legacy vendors.
- Server vendors: when a company goes to Cloud IT, it stops buying servers.
- PC vendors: Cloud IT users are migrating to mobile devices that use less disk space and less power because most of the work is done in the Cloud. In 2011, Desktop PCs already represent less than 20% of the market of devices used to access the Cloud.
- Desktop software: most applications are moving to the SaaS space, eliminating the need for bloated desktop software.
- Integrated ERP vendors: SaaS vendors provide solutions which are cheaper and faster to deploy. SAP has recognized the potential by paying $3.4 billion for SuccessFactors and demonstrating their commitment to Cloud IT.
- Large IT consulting companies: multimillion dollar projects don’t exist in Cloud IT: on average, I estimate that clients will spend 10 times less on implementation.
- Security specialist: If their clients understand that going to Cloud IT will decrease the level of risk, their fear fed business is in trouble! Cloud IT subscribers get to transfer5 most of their security worry to a well funded, professional provider able to attract top talent from top schools. Buying from a top Cloud provider means the best security talent money can buy is going to be securing your data.
Serious questions, reasonable answers
Now, lets go to the core of the issue:
what are the real problems that need to be addressed before moving to a public cloud?
1 – Security:
The most widely asked question: Are public clouds secure? Yes, public clouds are safer than 99.9999% of locally hosted or traditional IT solutions. Professional Cloud providers have the most expertise, attract the top talent, and are on the forefront of IT security. How can local, internal IT organizations compete? Additionally, Cloud providers adhere to the highest security standards like SAS 70 Type II, secure connections (via an HTTPS website address) and OTP (One Time/Single Use Password). I access all my SaaS applications like Google Apps and Zoho CRM with a secure connection. When I connect to the Cloud from a new PC, smartphone or tablet, an OTP is generated on my smartphone by Google Authenticator, a free token generator. It does not take a lot of time to convince a reasonable small to medium business leader that no other solution is safer than a public cloud.
2 – Loss of Information:
What happens if my Cloud provider loses my documents, my emails or my list of contacts?
- Professional Cloud providers rarely lose data. Revevol (a Cloud solutions consultant) is now partnering with Backupify, a company that provides backup for Cloud solutions like Google Apps. In a recent document, they were honest enough to write: The “Number of times Google has lost data for Google Apps = 0” (Yes, zero!).
- Losses of information do occur, but they are, in most cases, due to human error: users erasing or deleting documents or email. And the second most frequent cause of data loss is hacked accounts. Accounts are hacked mostly because users choose (or their organizations did not eliminate the option to choose) easy to crack, simplistic passwords.
There are many solutions available to protect companies from data loss. Postini for email and Backupify for documents are part of a growing family of Cloud data backup solutions.
3 – Espionage:
Most organizations have sensitive information which may be of interest for competitors or foreign entities. So, will adopting Cloud IT make it easier to steal/access my data? The answer is – of course not! Competitors and foreign entities may be powerful, but when you choose a top cloud provider, you not only enjoy the economies of scale inherent in Cloud IT, but also the security expertise of leading technology firms. Outside of the USA, everyone is concerned about the “Patriot Act”, a US law which Allows US law enforcement authorities to access information stored in data centers located in US soil without prior judicial approval.
Wikileaks has just released, in December 2011 links to hundreds of documents showing that every Government in the world is doing the same thing. At the ISS conferences, held all over the world, specialized software vendors present their latest offering in sophisticated spying tools, which, of course, are only used for “lawful interception, criminal investigations and intelligence gathering”. Can private clouds keep up with these ever advancing security threats? Of course not! Only established, well funded, industry leading Cloud IT providers can keep up with these threats. They have the money, experience, and ability to attract the best talent and develop the latest technology to protect their clouds.
4 – Privacy:
How can I be certain that my personal information will not be read by people who don’t have the right to do so? Everyone knows that absolute protection does not exist, but one more time, it’s less likely to occur in public clouds than in private ones. Please remember, in most organizations, systems administrators have access to all documents and files and can get user passwords at will. Public cloud providers realize clients are sensitive to privacy issues and work to mitigate client fears through transparency and, increasingly, greater choice for configuration. A recent example: Amazon sought to reduce privacy worried for users of its new Kindle Fire Silk Web Browser by allowing the disabling of browsing done with the help of the AWS (Amazon Web Services) servers.
5 – Confidentiality:
This is, by far, the paramount fear of all organizations I have worked with to move any part of their IT to a public cloud. There are no easy, rational answers to this fear: Will the big bad company X (Amazon, Google, Microsoft, etc.) read my emails and my documents? One of the most common statements we get from clients is : “On my Private Gmail, I see ads which are displayed using some of the words in an email, does this mean that Google is reading my mail?” It’s not always easy to explain that there are software robots that match keywords from the message to “AdWords” purchased by advertisers. I explain to clients that this function is disabled in Google Enterprise Apps, the professional version, and that the Google Enterprise confidentiality agreement is clearly laid out in the contract they will sign. At the end of the day, it comes down to a simple word: trust. The relationship between organizations and their public cloud providers is very much like the relationship they have with their bank.
A final word
We all know that 100% safe flying does not exist, some airlines are safer than others, and that flying in some countries is more dangerous than others. The same can be said of public cloud providers: some have a much better security record than others. It’s also very important to adjust the level of security to the level of risk. If I am afraid to take the subway in NYC because a pickpocket could rob me of the $50 I have in my wallet, an my solution to this fear is to hire an armoured Wells Fargo truck to take me to my destination -the result is security that cost 10 times more than the potential risk!
We are entering a new and exciting era in the world of IT, the Cloud Computing decade in which there is no place for amateurs. I sleep very well at night knowing all my applications and information reside in public clouds.
Revevol advises and assists clients in their adoption of Cloud technology. Founded in 2007, focused on “Pure Cloud Strategy”, Revevol has assembled a superlative offering of SaaS (Software as a Service) solutions: CRM, ERP, and BPM through partnerships with leading technology providers, A pioneer in the market, Revevol has unparalleled technical, advisory, and change management experience.