Listen: as cloud computing consultants, we drink the cloud computing koolaid. We’ve implemented cloud-based software for businesses of all sizes, across just about every industry. We’ve seen it revolutionize how businesses work.
We’ve also seen security become a very real and increasingly serious concern.
Don’t worry, it’s safe!
When we first began showing cloud-based software to clients, the idea of storing your data remotely was a new concept. Like clockwork, clients were all concerned about security. Is my data safe? What happens if the software company folds? Can we be hacked?
Like good cloud computing consultants everywhere, we’d listen, smile, shake our heads, and explain why clients needn’t worry, how storing your data on 3rd party servers was safer than storing it locally, how Google had armed guards.
And that was all true. In many ways, top-of-class cloud-based software tools do deliver top-notch security.
But in other ways, those early clients had prescient concerns. The shift to cloud computing has – in subtle and not-so-subtle ways – followed a fundamental shift in data and how we think of property writ large.
Lets rewind….
Software-as-a-pain-in-the-ass (SAPAS)
Before Salesforce, before Google, there were local servers and hard drives. If businesses used software (and that’s a big “if”), they had it installed locally, on-site, on their own computers or servers. Barbaric, I know.
This had major disadvantages: accessing your programs if you weren’t at the office was a pain. Syncing data between workstations was a nightmare. Collaborating in real time without overwriting was impossible.
Then there were the bills. Typically, companies paid third-party consultants like us huge retainers to maintain servers, push updates, and install patches. The value-add of those consultants was technical – they operated as IT janitors, doing the dirty work that no one else wanted or knew how to. Inexplicably, this is still a viable business model.
But for many businesses, cloud computing changed all that.
Enter the cloud
With cloud computing, businesses didn’t have to worry about maintaining anything. Sign up for an account and you’re done: the vendor does all the dirty work, no middle-man necessary. Just you, your data, and your sweet, innocent software.
Other advantages followed. Because vendors no longer relied on resellers for sales, the market was flooded with new software options – and increased competition meant better, cheaper products. And because the cloud affords technical advantages (such as integrations), the feature-set deepened. What could possibly go wrong?
The fight for your data
As many, many observers predicted, data privacy and security is today a major concern for businesses. This fact is highlighted by recent revelations about the NSA’s writing backdoors into consumer software, and Target losing credit card data on tens of millions of its customers.
Used to be, we didn’t care much about that stuff. It won’t happen to you.
But the reality is, something major has happened. Most businesses don’t have technical control of at least some – if not all – of their data anymore. Their banking data, their client data, their sales data, their documents and records – for millions of businesses, that stuff is stored on anonymous data servers and leased back.
Now, I’m not saying that’s an inherently bad thing. And it’s still true, for most businesses, that their data is safer (in some ways) now than it was when it was recorded on some dusty Exchange server in the closet.
But it’s also true that vendors, businesses, and consultants all need to do a better job of being honest about the state of software security. Too many vendors say “we use bank-grade encryption” and leave it at that. Too many clients aren’t asking the right questions. And too many consultants just don’t care.
A better way
By definition, cloud computing means a loss of some control. A relinquishing of technical reigns in return for better products. That’s just a fact.
But that doesn’t mean we can’t demand more.
Vendors should have transparent security outlines, where it’s 100% clear where your data is, what they’re doing with it, how it’s protected, and what they plan to do when something goes wrong.
Businesses should demand more. When vendors or consultants don’t address security, they should force the issue – and don’t accept anyone rolling their eyes.
Consultants should care more. They should know about SSL vs TSL; the difference between hashing and encryption; the strengths and limitations of multi-factor authentication.
This stuff is stressful to think about, but it’s super important. We’ve never had a client or a vendor suffer a data breach, but we also know it’s a lottery – and it’s up to us (and you) to mitigate risks.
Original article by Chris Bliss
