Assess your customer's cloud security risk
Stephane Estevez asks whether the issue of cloud security is primarily a red herring
Cloud means a lot of things, and there are many versions of something-as-a-service out there. But if we get back to basics, is cloud security really different from any outsourcing contract? And does it always mean that a cloud infrastructure is less secure than any IT infrastructure?
It depends. If in some industries it does not make sense to outsource some critical data, it will not make sense to use cloud. Identifying which types of data handling can be outsourced and which types need to stay under full company control is the first step, even before talking about the cloud security aspects.
Risk assessment is the next consideration. Cloud means having less visibility of the details, and often an associated fear of the unknown. If your customer is a small company, with data that is not an interesting target for hackers, it is highly probable that cloud may be more secure than their own IT infrastructure in some respects.
For large enterprises, a hybrid approach mixing cloud and on-premise, public and private, could be a good way to mitigate risk and get the flexibility and cost benefits of cloud offerings, whether we are talking about IaaS, PaaS, SaaS, or XaaS.
Back to basics also means you need to look into all aspects of the service. Is your service offering reliable enough? How can the customer recover the data if the contract ends? Is the data encrypted and who can access it?
These are the same questions that should have been asked in the past, around any outsourcing contract.
Is the physical address really more important than the legal jurisdiction? Usually, if the customer is based in London, constraints on physical access to the servers or cloud infrastructure will be the same whether the UK cloud provider has a datacentre in Birmingham or if you are working with a German provider hosting the customer's data in Munich.
Regardless, the customer cannot physically access the devices. So unless the customer has specific legal or compliance requirements, they are better off focusing on your SLAs, rather than your location.
What is the risk the customer will accept? And is the value you can offer greater than that risk?
When we talk about security, we often think about firewalls, user access directories, encryption and so on, but security is also about protecting against data loss, user error and data corruption. So it is also about backup, making copies at multiple points in time, and disaster recovery.
Many small companies or remote offices cannot afford big-budget disaster recovery. So, for the customer, the risk of outsourcing must be less than the risk of not having DR.
What is more likely to happen? A security breach, a natural disaster, or data corruption?
There is no one-size-fits-all solution. But can the IT team face all challenges itself, without external assistance?
Stephane Estevez is a senior product marketing manager at Quantum