People who believe the cloud is not secure enough are missing the point, says Peter Judge. If the MoD can lose an entire server then, chances are, it’s your internal data centres that aren’t secure enough
This week we had an interesting meeting with Google. The company said more or less what we expected: cloud services are the way forward, and in-house data centres are over.
That same day, we got back to the office to find news that added a whole new perspective to the meeting: heard the Ministry of Defence had lost an entire server from a secure data centre.
What was the connection? Well Google had been fighting back against the widespread perception that cloud services are not secure enough for large organisations – and its argument was spirited. Cloud services aren’t less secure, said Google Apps security boss Eran Feigenbaum: they are actually more secure.
In the cloud, data is accessible to anyone who has the password, and that includes anyone who can guess it, crack it, eavesdrop it, or fool or force it out of you. So it seems obviously less secure.
But consider the extent to which “non-cloud” companies expose themselves. Users are expected to work anywhere, and that means accessing business systems over the Internet. Sometimes this might be over an encrypted VPN, but very often it isn’t.
The majority of publishing companies I have worked for in the last ten years have a publishing system on a publicly accessible URL, which users can access using a username and password. That’s the price of asking journalists to contribute when they are on the road. And other business tools such as CRM and ERP have to be equally accessible for mobile workers.
Company email systems including Microsoft Outlook may run on company servers inside the perimeter, but they include a webmail option, whereby a user (or anyone else who knows the password) can access the system over the web.
So most companies are already in the cloud, whether they like it or not. But they’re doing it in a far worse way, because the devices they carry around are stuffed with files and attachments. Better to accept the data is mobile, and concentrate on keeping it in the cloud and securing the cloud.
Now, to my mind, that means we’ll inevitably have to start applying two-factor authentication – UK banks already do it for customers, issuing them with authentication Chip and PIN devices to use in the home. But companies in the cloud don’t often do that. Even Google doesn’t, to judge by Feigenbaum’s attempts to dodge the question.
So should we wait and see how cloud security pans out? Actually, I don’t think so. While we are doing that, we are all losing gigabytes of data on USB keys and laptops (sometimes as many as 20 percent of the company’s laptops).
And, as if that’s not enough, the MoD has proven that, even if you keep hold of all your laptops, someone is going to walk off with your servers.