Tuesday, 8 November 2011

Clouding the Issue

I read an article in CRN recently about security in the Cloud, specifically relating to data. It cites that the Information Commissioner (ICO) - right, I hadn't heard of him or her either - can fine companies up £500,000 for reckless loss of data.

The article, by Steven Hughes who works for COLT, puts the frighteners on anyone considering Cloud as it bangs on about robust security procedures and that these cannot be covered by an SLA from a provider (unless it's COLT, I assume).

It caught me thinking that security policies are openly flaunted by companies every day with or without a Cloud infrastructure. Laptops full of data are carried around by employees, including senior executives and CIOs, every day and losses are actually more regular than you think. While it may be difficult to get access to the network from these lost or stolen devices, the local information on the laptops is far more easily accessible.

It almost argues in favour of a consistent, central policy for data handling which is protected by a VPN login and the Cloud is as well suited to that as any. It would argue that local data on laptops is actually very bad policy, even if this is good practice by mobile employees. The fact is, with modern communications, access to networks via VPNs is getting far easier and so excuses are getting less for local storage.

While Steve Hughes highlights important points about data security and policies, the fact remains that most companies may have policies but few rigorously use them even without Cloud infrastructure. You could even say that Cloud isn't the issue here - it's people.

The article does look at a couple of other areas of great importance - notably SLAs which can be nebulous and even meaningless with some hosting companies - and the consumerisation of IT (or Bring your own device - BYOD) which threatens security in corporate networks. Given that executives surveyed by CRN recently rate BYOD as less than 30% in terms of importance to company executives in terms of a threat, then Steve Hughes makes a very key point. BYOD is a threat and it should be taken seriously.

Security issues surrounding data don't change when you view the Cloud, it just brings them into sharp focus. My concern is that it isn't that the Cloud per se is unsafe, it's company policies and procedures governing data are usual at fault. This doesn't really mean that Cloud is an issue - it just makes sure that companies consider the implications and check their compliance and governance targets are met when considering the Cloud or any network.

No comments: