Following on from Edward Snowden's revelations about the NSA's activity there have been increasing concerns about just how secure our data is, particularly if it's stored in the cloud. Indeed it's reckoned that the cloud industry faces losing billions in revenue to privacy concerns.
Yet some experts believe that storing data in the cloud is still safer than keeping it in-house. We spoke to Orlando Scott-Cowley, evangelist, strategist and technologist of email management specialist Mimecast to find out why.
Q: Why do the Snowden revelations point to greater vulnerability of locally stored data?
Orlando Scott-Cowley: Local data has always been vulnerable to internal attack, loss, leak or deletion - be it accidental or malicious. What Snowden has done for us is to prove this concept in a spectacular and very public way. We spend billions protecting ourselves from the enemy at the gates, but we often don't even recognise there is an enemy within, let alone mitigate or protect against them.
The Snowden leak has shown us that an administrator who has privileged access to your network and data can cause a significant hole in your data security strategy.
We shouldn't, however, panic and assume that all administrators have an evil intent to run off with your IP or customer database. But the Snowden problem is just one in a long line of breaches caused by someone with the correct access, rather than breaking in from the outside.
Q: What security advantages does storing data in the cloud confer?
OSC: In many ways, data is vulnerable, regardless of the storage location. The cloud offers a more secure environment for your data, in that the physical storage of the bits and bytes will be far more secure and controlled than the storage area network or file system in your own server room or data centre. But, as Snowden has proven, even someone as paranoid as a secret government organisation can’t protect their data.
What the cloud offers, and all reputable cloud vendors will do this, is provide a set of highly visible and transparent reporting and auditing logs; where every administrator action, policy change, content view etc, is logged and recorded. Your own internal processes should then be able to determine when the system is being abused - provided, of course, you have an internal process which is designed to impose rigour on your administration team. The common lament of on-premise server huggers is to claim the cloud isn't secure since you "don't know who’s accessing your data"; but in reality any reputable cloud vendor will show you this detail. It's the LAN or server based solutions that allow admins to roam freely over your data, unchecked and invisible.
Q: How can cloud services cope with specific regulatory and compliance requirements?
OSC: Many regulated organisations claim they can't use the cloud, "because they’re regulated", in a sort of catch-22 type of circular conversation. The reality is that more and more regulated companies are turning to the cloud, simply because of the improved security and availability of those systems and their data within. DIY compliance is increasingly expensive, time consuming and hard, but the cloud allows companies to deploy simple secure solutions that help and support the attainment of their regulation without all the pain, at a fraction of the cost and time.
Q: What key features should CIOs be looking for from their providers in order to ensure their data is properly protected in the cloud?
OSC: CIOs must take the opportunity, before they sign on the line, to examine the cloud service provider's credentials, both commercially and technically. Due diligence is an important part of the buying process, and actually helps strengthen a vendor's solution by ensuring they understand customers' security requirements first hand. Very few cloud service providers can hide behind a veil of secrecy these days. Reputable cloud vendors are more than keen to be transparent about their security controls, usually under NDA, to help you understand how they protect your data. This is the acid test for a cloud vendor, one who is happy to be transparent is helping you buy their services; the vendor who is evasive, or non-committal about their security may have something to hide.
Q: How do you think cloud security is likely to evolve in the light of recent events?
OSC: Cloud security will keep on getting better as a result; the security teams that look after these cloud solutions spend their days, and nights, worrying about how to protect their infrastructure and customers’ data from attack, loss and corruption. Every public breach, every software bug, every incident usually invokes a speedy process of response, analysis, verification and testing by a team of experts to make sure their own services are not affected and can't be compromised.
This is one of the major benefits of using a cloud service - the provider's dedication to the service and reaction times is far superior to anything that could be achieved on-premise, and the controls in place to protect data are designed to protect millions of users rather than a few hundred or thousand on the LAN. We often talk about scale in the cloud, and this is never more true than when talking about security - the cloud allows you to have a level of protection for your data that would only be achievable on your own network if you had a Department of Defence-sized security budget.
Q: What one piece of advice would you give to companies concerned about security?
OSC: Stop worrying and don't be afraid. Easy to say I know, but if you're paralysed by fear you won't be able to react and adapt to the changing threats that face your organisation. There is a lot of FUD (Fear, Uncertainty and Doubt) marketing out there, but remember it's designed to help you hand over your security budget to that vendor rather than educate you to the risks. The reality is that, yes there is a threat and it's changing fast, but you need to understand the threat, understand how you could be impacted by it, and understand what gaps you need to fill.