Cloud security tends to focus on content and application security – or how the cloud systems and its data are protected. Firewalls, password protection, and secure internet channels live here. This is the type of security that most people are concerned about when thinking cloud.
The good news is that pretty much all cloud vendors have got these nailed, and can do a very good job of explaining exactly how secure its systems are. The bad news is that this type of security is only part of the real picture. In addition to application security you need to consider three more areas: Data Protection, Disaster Recovery and Vendor Stability.
Most business people in the UK will have heard about EU Data Protection legislation. I won’t dive into the legalities of it here, but the EU is proposing a new set of directives, designed to govern the management of personally identifiable data – i.e. data that relates to individuals. This has wide ranging implications to storing content in the cloud, but there are two key things to note here:
This only relates to personal data, not things like marketing materials or company accounts
The legislation is not yet passed
One of the ways to try and comply with the rules is to ensure that your cloud content is stored in UK data centres – assuming that you are a UK company. The better cloud vendors will already have UK-based data centres – but not all do. If you are considering moving to the cloud, or are there already, this is something worth checking.
One of the benefits of the cloud is that things like backup and disaster recovery are handled by your cloud vendor. However, because someone else is doing the heavy lifting it does not always mean that they are doing it well. There are two key elements: recovery time and restore period.
Recovery time is how quickly your system can be up and running after a crash. While this appears important, it is not as important as the restore period, or the frequency of backups.
Think about a cloud solution that can be recovered in 10 minutes after a crash – it sounds fantastic. If the crash happens at 4.45 pm. and the last backup was made at midnight, then virtually a whole day of work has been lost. Balancing recovery and restore times is vital, as is making sure that the backups made by your cloud host also comply with the data protection rules previously mentioned.
Moving your systems and data to the cloud is a big commitment, and something that should not be taken lightly. Many people consider cost and security as the key factors in any such move, but for me, vendor longevity and stability are of equal, if not higher, importance. Many cloud vendors are fairly new, and with that comes incredible agility, more often than not excellent software, wonderful pricing and fantastic promise. However, what happens if that vendor goes out of business? Without wanting to sound like the bearer of doom and gloom for cloud startups, you need to understand the balance of risk and reward when selecting a cloud vendor. Established vendors have more stability so there will be less risk, but in turn, may have slightly less attractive solutions and pricing. Newer vendors have less stability so are higher risks, but may offer more attractive solutions and pricing. The choice is yours.
It turns out that cloud security is more complicated than we originally thought, and that may mean that cloud solutions take a little longer to evaluate. The positive thing is that once a cloud vendor can satisfy a sceptical potential customer that they can deliver against all of the above points, the prospect can have complete confidence in its vendor, cloud solution and the associated security. The migration to the cloud should then be a comfortable one