It seems the biggest reservation people have when it comes to the cloud involves the added security risks – the whole idea that “you can’t control what you can’t see.” But is that really the case, or is it more of a knee-jerk reaction from those unfamiliar with the cloud?
Last week I spoke with John Welch about how data warehousing fits into a cloud-based model. Welch is a chief architect with North Carolina-based business intelligence consulting firm Mariner, and he’s scheduled to speak at PASS 2009 on BI and cloud computing.
During our conversation, I asked him a general question about whether he thought the security risks associated with the cloud are myth or reality. Here’s what he had to say:
“I’d say it’s really sort of knee-jerk reaction, and I say that for a couple of reasons.
First, a lot of companies already outsource significant processing of their data to other companies. For example, most companies outsource their payroll processing to a third-party. So right there you’re talking about fairly sensitive information, but no one hesitates about outsourcing that.
Secondly, the physical security in a cloud-based model of the actual data and the data center is probably higher in most cases than what people have on premise. The standards for those data centers are held to a much higher level than what internal data centers usually are. So I think it’s just a legacy of people thinking ‘Well if the data is not inside of our network, then we can’t control it.’ And that’s not really the case these days.
In fact if you look at recent exposure of data, a pretty fair percentage of it is [the result of] internal leaks rather than somebody accessing the data on the cloud and hacking into it. So the problems that a [software as a service] company faces are the same as what internal companies face. It’s basically the people that are the biggest security risk — not the technology or where the data is located.”
In other words, security is always an issue, but cloud computing doesn’t necessarily increase those risks. Then again, you also need to define exactly what you mean by security. From a pure data protection standpoint, there are still steps to take when moving data to the cloud.
Brent Ozar, a SQL Server expert with Quest Software who is also speaking on the cloud at PASS 2009, said in a recent interview that backups are a major concern for those considering cloud computing. “Before you put your data exclusively in someone else’s data center, you need to have solid backup and disaster recovery plans. Don’t assume everything is just magically taken care of in the cloud,” he said.
My colleague Steve Cimino argues that it’s the complications of cloud computing that sets off most security questions, and it certainly is a complicated matter with many (MANY) opinions. For every accusation of lack of security in the cloud (like potential vulnerabilities related to virtualization), there are new tools that are promised to make everything better.
But is this really any different than the issues and considerations involved with more traditional environments? It’s hard to say, but it’s certainly likely that unfamiliarity and the perceived “newness” of the cloud is its biggest obstacle right now.
One thing that never changes, however, is that the best way to avoid problems ahead of time is by following the proper best practices.
For more information on security and other cloud-related issues, visit SearchCloudComputing.com.