Guess what? Your cloud vendor's data center is more secure than yours
When I was at the Gartner Portals, Content and Collaboration Summit a couple of weeks ago, one thing that surprised me was the persistent notion that somehow the cloud was inherently less safe than a company data center--whether stated explicitly or implied.
As I listened to the analysts give their presentations, I was struck that in 2013, they were still trying to soften the message for the audience, who might not be ready to hear that the cloud is perfectly safe, and possibly even safer than their own data centers. Worse yet, some were perpetrating the myth that it wasn't.
That's because the cloud vendors are firmly focused on security. They know all too well that every outage or breach is magnified on the Internet and especially on social networks, and if security isn't top notch, they are going to be out of business very quickly. They will lose their current customers' confidence and will have a hard time finding new ones--and that's not just marketing BS, that's a fact.
So, I was surprised when I overheard a conversation in which one administrator, still confused about the cloud, put it this way. She would compromise and put her non-critical files up in the cloud, but she would have a "walled garden" in-house in her data center for her most critical files.
After I apologized for listening in, I asked her why she thought her data center was any safer than that of a cloud vendor, which is getting paid precisely to keep her files safe? She didn't have a good answer because she probably hadn't thought it through.
And you have to wonder how many security decisions are made this way, based on some gut-level feeling that security must be compromised by doing x. It may not be based on any real research or understanding at a technology level, but the initial reaction is to say no and wait for pushback. As my wife said, when I mentioned this to her, that's human nature, not necessarily limited to IT (and in fact, she accused me of using the same knee-jerk decision making process--well I never...)
Of course, not all cloud vendors are created equal and not all will necessarily have tight security, so it is in the best interest of your company to do your due diligence before you choose a vendor, but when you've seen the proper certifications, read their security plans and perhaps even visited one of their data centers, you should have a good grip on just how secure your files will be in that vendor's care.
That doesn't mean that there will never be any breaches, any more than you can guarantee there won't be in your own data center, but it should give you a reasonable sense of the vendor's security credibility. You still need to deal with issues of governance, but that is more of a policy-level problem than a technological one--and it's required regardless of where your files live.
I've been hosting some twitter chats lately about the cloud, and the consensus among the IT pros who attended these chats is that the cloud is taking over. Fairly soon, in the not-too-distant future, we won't be having these discussions anymore because where data is stored will be irrelevant.
For today, at least, it's plenty relevant to many IT pros and that's fine. It's your job to worry. Just don't get caught in the trap of overstating risk at the cost of the reward. It's an all too common reaction to change of any kind, but especially in technology.
Remember, your data center is probably less safe than your vendor's--and you need to gauge the risk realistically. - Ron