Cloud computing and its potential to offer powerful computing and data storage options to even bootstrapped small businesses at highly competitive prices have generated plenty of excitement in the industry. So much so, however, that critical questions regarding the security of the data stored “in the cloud” are often overlooked by its most enthusiastic adopters. It’s understandable, given the heavyweight names behind some of the biggest cloud computing projects in the world. (Google Apps, anyone?) If companies like Cisco and Oracle are betting their futures and fortunes on cloud computing, surely that must mean that all the kinks have been worked out already, right? Or at the very least, security must be a top priority for them as well, given their zealous approach to network security in general, and we can all enjoy the trickle-down effect of their tireless efforts to firewall our data from any and all security breaches.
Well, yes and no. Cisco CEO John Chambers admitted as much in a speech he delivered in 2009 that, while cloud computing presents innumerable opportunities, it’s also a “security nightmare.” And with good reason. Some of the security issues that cloud computing providers must address in order to allay customer fears include:
Multi-tenancy issues. Cloud computing, by definition, involves shared data storage among a number of users spread across multiple companies and locations. Providers must be able to reassure corporate clients that users from another company will not be able to gain access to – accidentally or otherwise – their account and information.
Data loss and recovery. What happens in the event of a catastrophe that results in data loss? Does the provider have a rigorously and regularly tested backup solution to ensure data recovery? If a problem occurs in one client’s account that results in data loss, does the provider have fail-safe systems in place to ensure that a devastating cascading effect doesn’t occur that will lead to data loss among their other clients? What if the cloud computing provider goes out of business, is bought or taken over by another company, or declares bankruptcy? How will its clients be assured that their sensitive corporate data won’t be lost in the transition or closure?
Storage and hosting information. Where is the data itself physically stored? Are the servers somewhere in Silicon Valley, Chicago, or Bangalore, India? Who provides the actual hosting services? If the host provider is a third-party, has the cloud computing provider properly vetted its credentials to ensure that they adhere to industry standards for data security?
Security tests and updates. How often is the software or platform updated? How often is it tested? During and after testing, does the provider have systems in place to ensure that any updates or tweaks not result in security breaches? You’ll want to make sure that unauthorized users – from your company, your provider or a third-party – don’t inadvertently gain access to your information.
Compatibility of different security policies. If your company has an established security policy regarding sensitive client and corporate information, does it differ from the policy offered by the provider? Is the provider willing to meet your internal standards of security? What about third-party companies with whom the provider does business and who may be involved in some way with the service? Will they adhere to your corporate standards as well?
Collaboration issues. One of the most appealing benefits of cloud computing is its ability to promote collaboration among its users, either with internal staff or external parties. Does the software or platform provider have systems in place to ensure that collaboration doesn’t compromise securit