Tuesday, August 11, 2009

The Cloud has Security Issues - So, whats new?

There is so much talk about the cloud and cloud based SaaS - with many in the "Ok" camp, and as many in the "Not ok" camp. The biggest reason that the Not Ok camp has is of security, data confidentiality, and so on.

However, when the security issues are detailed to me, I have to shrug the feeling of deja vu. Now, where have I heard those before? The issues that the same server could be having our competitors data, so just what happen if our data is leaked to theirs, and vice versa. The issue that since the servers are not within our premises, how do we know that nameless faceless masked people are not walking in and snooping with the data? And then, there are some on disaster recovery. Oh, what if their server breaks down? What will we do?

These are all legitimate concerns, and they need to be addressed. These concerns were always there, and the risks were always there earlier too - just as we earlier did, we just need to understand those risks, and manage them. To be able to do that, we need to first, manage the fear that stalks our minds, and paralyzes it, and then we can really deal with it. Fear of the unknown is a luxury that most business people can ill afford.

In the early days of networking, when we started to use the internet to transfer company sensitive data, rather than our own completely-owned VSAT networks, the kinds who networked only internal machines and had absolutely no path out, we had to contend with our hysterical business people worrying that the same wires carried their competitors data. We had to sit them down, and patiently explain how we "could" secure the pipe, even when the pipe now was shared. It was important for us to explain how our competitor, though sharing the pipe, could not look into ours, and list the risk probabilities out. Soon, people understood, and the days of relying on internet to transmit business data began.

Then, when we moved our servers from our own premises to the third party data centers, another fear, or losing location control, had to be taken care of. We had to explain that even though the data center could have our competitors servers, and ours, how the ingress/egress policy, agreements, user provisioning policies, and whole slew of other measures could deal with this risk. We also had to explain that competition stealing data or user identity theft was not something that was only technology related, and had to involve people and understand the inherent risks in working with human beings. Soon, once again, people understood, and today, most companies do not have their ERP or BI data servers inhouse, but in secure, managed third party service provider setups.

Even in the case of cloud computing, the scare of sharing the same computer, or even the same application across competition is large - and legitimately so. Once again, rather than giving in the nameless fear, we need to understand the risks one by one, of using a shared infrastructure and an application, and break it down into risks, that we can then examine properly. And then walk the business users through the risks, and allow ourselves and them to come to a informed decision.

Point is, the risks of data security were always there. When we had our neat little machines on our tables, with no network, we had them then. When we networked them, we had them then. When we moved them to the shared data centers, we had them then, and now too, when the cloud computing and SaaS wave is upon us, we have them now. Just like the earlier times, we need to deal with the risks, and not just throw the enormous benefits that the new paradigm can offer, simply because we are too paralyzed with fear to deal with it.

So, CIOs, just dig a little deeper. The more the things change, the more they remain the same. And you would deal with this too, just the way you dealt with all the previous fears - and embrace this brave new world.

Amen to that!