Gavin Payne is a principal architect for Coeo, a SQL Server professional services company, and a Microsoft Certified Architect and Microsoft Certified Master. His role is to guide and lead organisations through data platform transformation and cloud adoption programmes.
When organisations consider adopting cloud services, they’re right to question their security. However, innovation by the major cloud service providers often means they now routinely provide more secure solutions more cost effectively than traditional on-premises computing. Consequently, perceptions – and expectations - about cloud security are evolving and are now less focussed on technology but more on how cloud vendors are protecting our privacy and data sovereignty.
The quest for technical security
When cloud services as we know them today first started appearing, some of the biggest concerns were about their technical security. Were they vulnerable to hackers? Could customers see each other’s data? Was data being backed up? Would the company still be in business in six months’ time?
These were – and still are – valid questions. However, the large cloud service providers now have good answers to them. In recent years, they’ve built significant security credibility from real-world adoption, deploying new technical capabilities and gaining compliance certifications. Consequently, we should now feel more comfortable about their security than we used to. In fact, an increasing number of IT leaders are finding cloud services are more secure than anything they could cost effectively deploy themselves. The vendors are very open about their capabilities too.
Microsoft for example now provide detailed information about the invisible and visible, and standard and optional, security features they provide – about both technology and processes. Equally importantly, they provide evidence of external validation by alliances, governments and industry bodies about the grade and quality of their security capabilities. A good example of their guidance is available in this practical guide here.
Increasingly then, the opinion of technical teams is there’s now enough technical security tools in a cloud vendor’s armoury to create secure solutions.
Broader security questions
While those teams now have the tools they need to stop illegal access to their systems, organisations and perhaps society as a whole are asking broader security questions - who can legally access their data even when it’s behind a cloud vendor’s high walls and deep moats?
Having IT services provided by a third party from an external site is nothing new. IT outsourcing companies have been providing that capability for a long time. What has changed in the cloud era is the scale of the operations providing those capabilities and the geographic and legislative boundaries they span. Unlike solving technical security concerns, data privacy and data sovereignty issues need more consideration – but fortunately for IT professionals not much more.
Data encryption was once a tool reserved for the most nervous of industries but today it’s almost on by default for internet communications, laptop storage and personal messaging systems. The cloud services world is following and ticking the encryption box by default more and more. Some vendors are going much further. As an example, Microsoft recently announced their Office 365 services will soon encrypt an organisation’s data so even their support engineers don’t have access to it. SQL Server already provides similar capabilities in the database tier. However they get implemented, we can expect this “your servers but my data” style of encryption to be a focus of cloud vendor investment in the near future. IT development teams should also adopt this practice when creating their own cloud based applications.
Finally, data sovereignty is another consideration that’s high on today’s corporate and personal information security agendas. When data is at rest in a secure data centre, we want to know which country’s governments can ask legally for a copy – and not be refused one. This legislation is something few of us as individuals can influence. Instead, what we can do as consumers or administrators is remember the impact of selecting a geographic option when we deploy or subscribe to new cloud service. Not only does choosing between services hosted in Europe rather than America or Asia affect performance but also the legal powers of governments.
Today, Europe has very strong data protection laws that give a practical degree of confidence about the protection of data between borders. The future of this area is complex and something that countries are still debating as they realise the limits of yesterday’s approaches to global law enforcement. However, if we can expect any changes in this area though, we should be reassured that big commercial interests depend on our protection getting stronger rather than weaker.