Can we trust cloud providers to keep our data safe?
- 29 April 2016
- From the section Business
Cloud computing - storing data and applications remotely rather than on your own premises - can cut IT costs dramatically and speed up your operations.
But is it safe?
Despite the rise of public cloud platforms offered by the likes of Amazon Web Services, Microsoft Azure and Google Cloud, less than 10% of the world's data is currently stored in the cloud.
So what's holding many companies back?
Technology of Business explores the issue of cloud security.
What's so good about the cloud anyway?
Building your own energy-hungry data centres is expensive and time-consuming, while managing hundreds of software applications chews up IT resources.
If you can outsource a lot of this hardware and software to specialist tech companies that can expand or reduce the level of service according to your needs, it can save you a lot of time and money.
More Cloud Computing features from Technology of Business
- Fast cash: The high-speed world of cloud-based finance
- From wetsuits to wine: Small firms embrace the cloud
- Could cures for cancer lie hidden in the cloud?
- The wearable tech giving sports teams winning ways
"Business leaders are looking to optimise and grow their businesses, and cloud can give them that - reducing costs and providing better customer experience," says Gavan Egan, managing director of cloud and IT solutions for global telecoms giant, Verizon.
And being able to plug into a range of ready-made cloud-based services helps you develop new products at a faster pace, potentially giving you a competitive edge.
What are the risks?
"The biggest risk is giving up control of your data to someone else using different data centres in remote places," says Mr Egan. "What happens in the event of a disaster? You're also putting your data next to someone else's."
In other words, your data could get lost, wiped, corrupted or stolen.
There is also a risk that by outsourcing file and data management to a third party, firms will assume all the security has been taken care of, argues Kamran Ikram, managing director of consultancy Accenture's infrastructure and security practice.
"You can't assume that - it's still your data and you are responsible for it."
So how do cloud providers keep our data safe?
The most obvious way is through encryption, both while the data is in transit and while it is "at rest" on the cloud servers, explains Ian Massingham, Amazon Web Services' (AWS) chief evangelist for Europe, Middle East and Africa.
AWS, by far the biggest public cloud platform provider with more than a million active customers a month, has more than 1,800 security controls governing its services, says Mr Massingham.
Customers can choose to control their own encryption keys if they wish, he says, as well as set the rules for who can and can't access the data or applications.
"Most of our security innovation comes from customer demand," he says, "so the bar for security gets ratcheted up every time.
"But we're not the owners or custodians of the data - we just supply the resources," he says. "We don't control how the data is protected, customers do."
It says a lot that online retailer Amazon is happy to run its entire business on its own cloud platform.
What other security methods do they use?
Mark Crosbie, international head of trust and security for Dropbox, the cloud file storage and collaboration company, says the way data is encrypted can also increase the level of security.
"We split each data file into chunks - a process called sharding," he says, "and these chunks are then separately encrypted and stored in different places, so if someone did manage to break in and decrypt the data they'd only get access to random blocks."
Aaron Levie, chief executive of cloud rival Box, says: "Instead of sending the files, Box sends a link to the file - you can preview the content without actually downloading the data. Our software was designed to deliver a much more secure way of sharing content."
Dropbox also encourages companies to use two-factor authentication - passwords supplemented by a one-time code generated by a different device, such as a smartphone or fob.
"The bad guys always target the password - people are still the weakest link," says Mr Crosbie.
So is data actually safer in the cloud?
Well, that depends on the quality of your cloud provider compared to that of your own IT department.
Most of the major data breaches that have taken place over the last five years, from Sony to Ashley Madison, TalkTalk to Target, have been from internal, not cloud-based, databases, says Amichai Shulman, chief technology officer of cybersecurity firm, Imperva.
But he adds: "There is always an inherent threat that administrative personnel working for a cloud provider could access your machines or data from within - that's a business risk you are taking."
This is why the major cloud providers give customers the option to handle their own encryption keys, meaning no-one inside the provider could get access even if they wanted to.
And some companies are now adopting a "hybrid" approach - keeping their more sensitive data in a private cloud and other data and applications in the public cloud.
If it's so safe, why isn't everyone moving to the cloud?
Good point. These are still early days - less than 10% of the world's data is estimated to be stored in the cloud.
"Financial institutions have been reluctant to go to the cloud because there may be holes in the model - they're risk averse," says Accenture's Kamran Ikram.
But even this understandably cautious sector is gradually beginning to trust it.
Late last year, US bank Capital One said it was reducing the number of its own data centres from eight to three by 2018 and moving a lot of its processes and product development to AWS.
And Towergate Insurance recently announced that it was migrating its IT infrastructure to the public cloud as well.
Where is all this data stored?
The major public cloud providers offer a number of data centres - AWS covers 12 regions globally - storing multiple copies of customer data. So if one centre is destroyed in an earthquake or other natural disaster, your data is still safe.
But concerns around data privacy, particularly in Europe following the rescinding of the Safe Harbour data sharing agreement and the Edward Snowden leaks, mean providers are increasingly offering the option to host data in customers' own regions.
US file storage and collaboration firm Box, for example, recently announced it would be expanding its data storage locations to Germany, Ireland, Singapore and Tokyo, by piggybacking on existing cloud infrastructures provided by IBM and AWS.
Having this choice is particularly important for heavily-regulated sectors, such as financial services and healthcare.
How do you choose a good cloud provider?
That largely depends on what you want it to do. Certain cloud providers specialise in specific functions: Salesforce for sales and customer data; Workday for finance and human resources; Box for file sharing, for example.
But first and foremost, a cloud provider must understand your business, says Verizon's Mr Egan.
"Do they understand the regulatory requirements governing payment card or health data, for example," he asks. "And can they prove that they can do what they say they can do?"
Imperva's Amichai Shulman says prospective customers should also ask to see up-to-date certificates from international security standards organisations.
But reputation is as good a guide as any.
Follow @matthew_wall on Twitter