(Stephen Parker, Head of Cloud Strategy, NewLease)
Doing nothing is not always safer.
Cloud security is a hot debate and listed as one of the top concerns across all business sizes when considering a move to cloud computing. A “Bing” on the string “Cloud Security” returns 13.9m results!!!!
An interesting example of one of these documents is from the Australian Defence Signals Directorate (http://www.dsd.gov.au/publications/Cloud_Computing_Security_Considerations.pdf). The structure of this offers a simple “cloud” overview, then a list of security related questions you should ask and finally why they are important structure. For example the first 4 questions are:
- My data or functionality to be moved to the cloud is not business critical.
- I have reviewed the vendor’s business continuity and disaster recovery plan.
- I will maintain an up to date backup copy of my data.
- My data or business functionality will be replicated with a second vendor.
These are perfectly reasonable questions, but what if you replaced “cloud” with “our current environment”, how would you answer these?
- My data or functionality to be accessed externally from our current environment is not business critical.
- I have reviewed our current environments business continuity and disaster recovery plan.
- I will maintain an up to date backup copy of data in our current environment.
- My data or business functionality in our current environment will be replicated with a second vendor.
Although not perfect (nothing is) it is highly likely that for many businesses (especially SMBs) the Cloud would actually be better
from a security perspective than their current IT setup.
Research from Microsoft reviews the benefits of the cloud on SMB’s security [click image to enlarge & see whole infographic]:
The cloud security debate is all too often based on emotional rather then rational thinking. What is commonly missed is the activity of doing a formal risk assessment of the services you plan to move to the cloud. Then you can make a comparison of your as-is environment with your proposed cloud option. Only then will you be able to make a true call as to how the cloud impacts your risk mitigation strategies for these services.