To the Cloud (Safely)

After all these years of outsourcing and Cloud computing, people are still blogging about the crazy risks of putting corporate data and emails in the Cloud.

Most of these arguments just put a negative spin on the whole Cloud concept rather than looking at the reasons and solutions. So let’s do that.

The first task of any Cloud Consultant is to ask *why* a business is considering moving to the cloud. The second task is to give advice on the benefits and risks. And where there are risks, what the various strategies are to minimise them. Nine times out of ten, businesses make changes in IT to keep costs down. As IT is generally not the core business it is viewed as an overhead as opposed to a revenue earner. Cloud is no different and businesses look to the cloud to save them money.

However, simply looking at cloud services with $ filtered spectacles falls short of understanding the complexities involved, both internally and externally. Consuming services from the cloud is a very different proposition to running services internally. Most of the skills needed to run services internally are not in the same basket as skills needed to manage vendors and consume services.

Moving to the cloud generally involves two big issues: 1. putting corporate data in the cloud and 2. putting corporate email in the cloud. Email is a kind of corporate data, but more on this later.

Let’s deal with issue 1. first.

The most common scenario is that a large company has evolved with internal systems, including SANs or NASs which are kept in a “secure” data centre. A place where physical access is restricted and where connectivity is all internal and on networks owned by the company. This is generally regarded as being high security. In order to circumvent the security of the data you need to be a malicious external hacker or a malicious internal employee. Where physical devices and storage are outside company premises, i.e. laptops these are generally protected by encryption and biometrics.

Companies who perform tape backups typically send them offsite in the care of a third party. In principal this is no different to cloud computing. You are trusting a third party with the management and content. This brings us to trust. Most people, and most organisations have a black and white view of trust. Either you trust an employee / third party, or you don’t. This idea is encouraged, almost forced by the fact that there is only one view of data: highly confidential.

One of my favorite lines from THHGTTG is when Ford Prefect asks Arthur Dent to trust him, to which Arthur replies “I do trust you. Just not very much”. Trust, like most things comes in shades of grey.

Pretty much all business is based on trust so why the big hang-up about trusting someone with your data? The problem is not the trusting per se, I think it is (lack of) knowledge about the data in question.

The first step for companies moving to the cloud is to think about the types of data they have and how to classify it. Depending on the size of the company this can be a short 1/2 day exercise or a mammoth project in it’s own right staffed by a dedicated team and implementations of filesystems capable of recording and enforcing classification metadata.

Hand-in-hand with a data classification exercise (or merely thinking about what types of data you have) is a risk assessment: what risks are the company concerned about: availability, public disclosure of sensitive information, industrial espionage? And how likely are those scenarios to occur. Given, as we are led to believe, that 80% of data breaches comes from internal employees with a grudge to bear, a company’s data might well be safer in the cloud.

Once a company has determined what types of data they have and they have assessed the risk, then it’s time to think about putting that in the cloud. The complexities I mentioned above now arise as there may need to be a process to classify data and a way of managing data based on it’s classification. The industry is immature in this regard. But the cloud can help!

Depending on what the risk view is, the cloud can be an ideal home for a large part of the companies data and in itself be a (crude but effective) method of data classification: if it’s in the cloud, we manage the risk like this, and if it’s on-premise we manage the risk like this.

So to re-cap, arguments about risking your entire company IP or being embarrassed about sensitive information being disclosed should not point the finger at the cloud: these risks exist already, wherever your data is. Understand the data, understand the risk and carefully choose your cloud provider and technology. Adopting the cloud, when approached correctly, will result in a more efficient and secure business.

More on the topic of mail later.