IT network diagrams often include a symbol for the internet, a fluffy cloud. Just like it’s natural namesake, ‘The Cloud’ as an application service delivery model is a mysterious, organic, opaque and immeasurable entity and just as likely to show a silver lining as conceal then release a malicious electrical storm. As a customer of a Cloud service provider you place your data into a system that deliberately, in the name of commercial confidentiality and security, reveals nothing about it’s internal workings. Sure there are reassurances and even guarantees but watch out for the caveats; in the same way insurance companies disclaim with force majeure, The Cloud service provider will only guarantee what he can directly control and IT history tells us that’s very little.
One could, and is near forced to, blindly trust the provider -relying on your perceptions that they are an honourable company, who know what they are doing and that they can be trusted to protect your data come what may. From a security point of view (not to mention matters of operational, privacy or compliance) the concept of blind faith has a difficult place in an organisation’s business.
Once signed up to a cloud service you and likeminded peers are close together, sharing the service and it’s resources but where in nature there can be safety in numbers. In technology, if part of the service is under attack, there’s a fair chance you’ll be caught up in the collateral damage and suffer along with the intended target. So a question for the service vendor is ‘am I sited anywhere near a prolific, controversial or combative organisation’?
One counter argument could that these companies have excellent reputations, that nothing so far has ever compromised a client’s data security and that they make every possible effort to keep it that way. The service provider will give assurances that you and any other organisation are electronically separated by a large margin and that they have an infrastructure resilient to power outages, theft of hardware, theft of intellectual property (data), single point of failures and digital attack or denial of service. They will say they perform x number of penetration tests per year. But it will always be in your mind; you may have hired the IT equivalent of an unknown person looking after the kids overnight.
Keeping your servers and it’s data locked up in your own office or server room, with your own internet connection or two (which is wise) paying your own power bills, making sure your antiviri and system security patches are up to date, making sure when employees leave they don’t leave with the accounts or the master client list, means you are master of your own security and system availability.
If you don’t trust yourself to do this properly, there is the option is offload these IT functions to a cloud service provider out there, in the internet, amongst many others. Better, get to know and a trustworthy and proven IT solution provider but keep the data and it’s dependencies under your lock and key.
(c)Paul Appleby, London Data, September 2009. www.london-data.co.uk First appeared in part in print Civil Society IT September 2009 (c) Civil Society Media.
