Are You Risking Compliance in an “Unsecure” Cloud?
Posted by Stephanie O'Neill on Wed, Jul 01, 2009 @ 11:03 AM
Two of the biggest concerns about cloud services are data control and security. While these are both very valid concerns, the security fear is also unsubstantiated (some vendors do have questionable practices about data ownership, but
LiveOffice believes that every KB to TB of data belongs to its clients, and they can get it back whenever they want).
Software-as-a-service (SaaS), or
cloud, providers actually have some of the most advanced equipment and technologies on the market - much more high-end systems and safeguards than the majority of companies can afford on premise. After all, this is their livelihood. If they aren't
experts at securing the data they store, they won't be around for very long.
Compliance goes hand in hand with these issues, but data stored on a vendor's servers is vulnerable to the same threats as data stored on your own servers. The important thing to note is that the best service providers are well equipped to deal with these challenges and minimize risk. Ultimately, they can do it more effectively than you can.
While there will always be naysayers, some feel that security is best left to the cloud. "SaaS is tailor made for keeping up with the rapid pace of malware development," says Cody Leser, senior director of channel sales at Trend Micro. "There's no way to push patch files continuously; you have to do it in the cloud."
Todd Fitzwater, principal at Demand Solutions Group, says, "Your data is actually getting taken care of in [service providers'] data center[s] better than in yours. The backup and recovery, disaster recovery and security around the servers is much tighter and higher grade than you would put in your own data center."
As with any major decision, companies need to do their due diligence and ask questions - lots of them. Where is the data being stored? What security measures are in place at each data center? Are the data centers redundant? Are the data centers monitored 24-7-365? What type of encryption is being used to protect data in transit? What type of infrastructure is being used to host the data? What type of spam-and-virus protection is in place? Can the data centers handle a sudden increase in demand? How often is data backed up and where are backups stored? Does the service provider enlist an independent, third-party vendor to conduct periodic security scans and other checks? What happens in the event of downtime or a disaster? What happens if the company decides to move its data elsewhere? What happens if the service provider goes out of business or sells to another company?
In the end, you need to make sure you are comfortable with the answers you receive. If there is any doubt about the security of your data, it's probably time to talk to another service provider.