Concerning Security

May 13, 2011

We’ve all heard the benefits of opting for a Cloud computing solution a thousand times before: reduced capital expenditure, economies of scale, 99.99% network availability and faster internet speeds.

Yet despite the fact that 2011 is arguably the year of the Cloud, with a 19% increase in total Cloud revenue compared to 2010, adoption of Cloud services has been hampered by one issue that just won’t stop rearing its ugly head: concerns around security. Indeed, Computing magazine recently reported on a survey conducted by the Cloud Industry Forum, which stated that 23% of businesses would not trust a Cloud provider to host their client and third-party data, and a staggering 54% would not move employee data to the Cloud.

Whilst I would seriously question the figures given on concerns over the security of employee data being greater than client data (surely something as sensitive as customer credit card details would be more important to the company than their staff data?), the statistics are still worryingly high.

Of course, organisations are right to consider the implications of accessing their data over the Internet, and granted, it does not make good business sense to put extremely sensitive data into a public Cloud, where the location of its storage is unknown. A private Cloud however, is another matter entirely.

A private Cloud offers companies the chance to specify every last detail of the infrastructure supporting and providing the application or service, from the make and model of the hardware, to network management tools and firewalls. The infrastructure is not shared with any third parties and the Cloud provider will offer an SLA with clearly defined financial penalties for any breach in performance.

Typically hosted in a highly secure, Tier 3 or Tier 4 data centre environment within the UK, private Cloud organisations know where the data is, who is managing it and who has access, therefore granting far greater levels of security than would be possible in a public Cloud, or indeed in the equivalent on-premise solution.

Should security concerns therefore be an absolute barrier to the adoption of Cloud computing technologies? Absolutely not. After all, how many organisations could confidently say that their data would be more secure if held in-house compared to if held in a highly secure, Tier 4 data centre by an ISO 27001:2005 accredited Cloud provider?

Yes, organisations are right to consider the implications of the Cloud, but have they considered the expensive, challenging and time consuming nature of the on-premise alternative?

Expensive infrastructure
Choosing to maintain IT services in-house, an organisation would be required to purchase expensive infrastructure and large servers, many of which will never be fully utilised. With Cloud-based technology however, IT services can be “rented” on an ad-hoc basic, as and when needed. This allows costs to be kept down to a monthly retainer, rather than requiring organisations to fork out on large, upfront capital expenditure in order to purchase the equipment in-house.

Data centres
Any data that organisations would not be happy to have stored off site with a Cloud provider would have to be stored in their own purpose-built data centre, a cost which cannot be justified, or indeed met, by many organisations aiming to keep costs down as the economic troubles continue to rumble on. Choosing a private Cloud provider however, the client will typically have access to a Tier 3 or Tier 4 data centre, both of which offer far greater levels of data security than on-premise systems, and at a fraction of the price. At a physical level, Tier 3 or 4 data centres are well ventilated, fire proof and have 24×7 security staff. They are also secured with leading edge technology – from firewalls and anti-spam to anti-virus and real-time monitoring technology – luxuries that could never be justified by a single SME.

Quality assurance, compliance and accreditation – more hassle than they’re worth?
To ensure the security of data, ISO 27001:2005 data security accreditation should be a given. But organisations also need to consider data protection, vulnerability management, physical and personnel security, availability, application security, incident response and privacy. And what is the ongoing commitment to improving security? A Cloud provider, because of its collective buying power, can afford to purchase a greater quantity of and more sophisticated security devices to identify potential service attacks than an internal IT department could ever justify. Furthermore, if an organisation has to hold credit card data, they must be PCI DSS compliant. It seems absurd therefore that an organisation would prefer to go through the hassle and cost of getting audited themselves in order to keep their IT in-house, when they could instead choose to put their trust in a Cloud supplier that has all the compliance, assurance and accreditation boxes ticked before the contract is even signed.

In short, an independent business, unless they are a major top 10 corporate, cannot compete with the resource of a quality, fully accredited and compliant Cloud provider; a Cloud provider that has the correct skills, facilities and highly trained employees in place. Granted, a Cloud provider will never be 100% immune to security risks, and anyone that says they are is not being entirely truthful. But as a Cloud provider can offer SLAs which are built around 99.99% risk immunity, threats to security can be mitigated in the vast majority of cases. With uptake of Cloud technologies seemingly on the rise throughout this year and the next therefore, perhaps it is finally time for organisations to lay their security concerns to rest, and instead put their trust in the Cloud.

Source Concerning Security

Visit us at http://www.gosecure.com soon

%d bloggers like this: