Data in Cloud. Under a Siege.

How to propose Cloud if many clients believe that data in Cloud never could be safe?

For years of selling Cloud I have heard a lot of objections against it. One of the most popular of them is security. The funny thing is that security is a stopper from Cloud for some customers and at the same time a reason to migrate for others.

During Sales events (with potential, not current, customers) I have a lot discussions with CIO of middle and even small organizations when they express their concerns that Cloud cannot provide the level of security they need. They were more worried about security rather than reliability in Cloud. Just several popular examples from them:

· Competitors may have access to data in Cloud and harm the business of the organization.

· Technical staff of Cloud provider, that administrates IT-systems, could be corrupted.

· Authorities (e.g. Tax Service) may discover undesirable information about the organization analyzing data in Cloud.

· And specifically, for Public Sector: CIA, FSB, MOSSAD (depending on a country) may hack data in Cloud.

Moreover, the clients that I talked gave me a lot of concrete scenarios of possible data leaking from Cloud providers: competitors may use vulnerabilities in IT-systems of Cloud providers (e.g. not updated software), providers’ technicians could be tracked through social networks and approached by attackers, authorities could unexpectedly come and confiscate all servers of a Cloud provider. And a new James Bond movie could be made based on customers’ ideas of how different secret services are stealing data from Cloud.

What can I reply? Nothing. That is all true. Everything mentioned above could happen. Nobody from Cloud provider will stop the Police if they come legally to confiscate data, nobody can guarantee that all provider’s employees will never take a bribe, and competitors may hire hackers and find a hole. The only question is how all these things are specific for Cloud. Are not these challenges common for IT regardless of the fact whether they are in Cloud or not?

In such discussions, I just ask to tell me how all these threats are solved by these customers now, on premise, in their own infrastructure. The first group of answers is about DLP, DMZ, SSL, CASB and any other security tools that customers use, or about hi-class Security team that 24x7 monitors and prevents all risks in customers’ infrastructure. This is quite a small group.

The second group of clients admit that ‘they are at the beginning’ yet. I have had many discussions about provider’s insecurity with CIOs who have all their critical applications and data on the couple of servers located directly in their office and several administrators have full access to everything. There is no physical protection of hardware, no specialized security tools (let alone the staff), all competitors know their key IT-specialists (current and former) who they may ‘contact’. But CIO is worried that Cloud provider’s DLP is not good enough to prevent all possible leaks.

Certainly, Cloud providers are not as protected as Fort Knox. They have to find a balance between price, performance and security. But often concerns about security in Cloud are a reflection of concerns about security of their own infrastructure. Customers know about security risks but are quite forgiving of their own gaps, making excuses as they have insufficiency just temporally, but in the future, they will invest in security much more and close all holes. However, from Cloud they want everything and for free.

Providers are professional players and security is an integral part of their business. The Support teams in Cloud do not know from which side and what kind of attack they will face, that is why they have to protect their fortress as if enemies were going from everywhere. As the result, IT infrastructure of an average Cloud provider is more secure than an infrastructure of an average client. So, for most customers, moving data to Cloud, makes it safer. But if there is a customer who needs higher level of defense, and if this customer is ready to spend on security bigger resources and build a more protected infrastructure, it just should not go Cloud.