Ok, I know the title sounds a little negative. I’m not against cloud services at all. We use cloud services here for a wide variety of business and personal purposes.

Having said that, there are a couple of issues that bother me about the cloud and while some are philosophical, some are technical as well. One thing that bugs me about the push to the cloud is it’s being touted as some “new” technology.  It’s not.

We’ve been operating in a “cloud” environment since the dawn of computing. The only difference is the “cloud” was inside our network borders aka a “private cloud.”

Other “advantages” include collaborative tools that allow people to access files (hmmm old school NFS) and modify them to increase productivity; economic advantages of saving $$ thereby allowing your company to be “green” and do its part for sustainability.  Another claimed advantage is the transference of risk to the cloud provider instead of your company.  All of these are valid points. Here are some things to consider.

1. Sustainability – this is very good. But the fact of the matter is that power to run the cloud storage units is consumed somewhere else so what is the net savings of energy if you look at the whole picture? Probably negligible since the cloud services has to consume power to function.

2. Collaborative tools – This is certainly true. Products like Google Apps and SharePoint Online are examples of some great collaborative tools. Whether they actually increase productivity depends on your organizational culture. In the EDU world, you probably can demonstrate gains on the academic/research side of the house. I’m not sure about the administrative or business side of the house. In the corporate world, internal politics may actually discourage collaboration.

3. Ask yourself this question. Would you store your personal tax records, wills, deeds, vehicle titles, and photos at a remote site not knowing exactly WHERE these sites are? To some degree, we do this already. It’s called a bank safe deposit box. You put your valuable documents in some safe location outside of your home in case of a local disaster.  An regional disaster like Hurricane Katrina may invalidate that assumption but those scenarios are thankfully rare. At least I hope so. Can you get to your sensitive data WHEN you need to get to your sensitive data?

4. Have they ever suffered a data breach? I know, good luck getting an answer to that one. Remember, however, that Google, Yahoo and other major Internet giants have suffered data breaches in the past.

Why would a company want to store their business records, customer data, intellectual property etc. with another company?

What do you know about these companies? We used to say “they’re big and they can be trusted.” I think the Snowden disclosures have cast a “cloud” (pun intended) on some of the Internet “giants'” reputations for safeguarding your data. The CEO of one of the major Internet giants said that they were “forced” to cooperate with the government or else the CEO would go to jail.

www.cloudsecurityalliance.org has a great set of guidance documents to help you do a reasonable risk analysis of cloud services. Take a look at the Cloud Controls Matrix or the Security Guidance for Critical Areas of Focus in Cloud Computing v3.0 guides. The Security Guidance doc is especially useful because it lists 13 “domains” that should be discussed with a cloud provider during contract negotiations.

The domains include Governance & Risk Management, Information Management and Security, Incident Response, Application Security, Encryption and Key Management and Traditional Security, Business Continuity and Disaster Recovery. These are areas you should ask the cloud provider how THEY do these things.

For example,  if you decide to terminate your contract with a cloud provider, how long does it take them to remove ALL instances of your data including backups and do they notify you that they have done this? I’ve found these  guides to be very useful in building a cloud-based data protection strategy.

Let’s face it. It’s all about the data. Public information about your organization stored in the cloud isn’t as risky as storing personally identifiable information (PII). While we’re on that subject, let’s talk about encryption in the cloud.

You should ALWAYS encrypt any sensitive data files before storing them in ANY public or private cloud. State data breach notification laws, Federal export restricted data governed by ITAR or DFAR must reside on servers physically resident in the continental US. Does the cloud provider guarantee this? Some do, some don’t. Some cloud providers will encrypt the data files once they’re stored on their sites. Make sure you know who owns the encryption keys.

Some data should never be stored in a cloud outside of your network borders.  You need to do a thorough and comprehensive risk analysis to determine the risk of data exposure in the cloud. I strongly recommend you read the docs at the cloudsecurityalliance.org www site before you finalize a contract with a cloud storage provider.  Remember, there’s always a price you pay for convenience.

Leave a Reply