Is cloud computing really as secure as the other options?
Answers
This is a great question and the answer is - it depends.
We have evaluated a lot of on-premise sites and have found them to be less secure than the cloud for the following reasons: accesses to servers is not controlled, the IT personnel are not adequately trained in security controls, inadequate Disaster Recovery planning, lax backup/recovery procedures and anti-threat software/hardware is not installed/maintained at the site.
By contrast, most cloud vendors hire experts to manage security - they can better afford this because they can spread the cost across multiple clients. Good security personnel are rare and expensive and most companies cannot affort the luxury of having such people on staff.
A good litmus test is this: If you ran an SSAE-16 assessment on your own IT department, we they fare at least as well as the typical cloud vendor?
Full disclosure: we are not a hosting company although we provide guidance to cliients on whether they should host or remain on-premises. Internally, we use cloud services for
I agree with Donald whole heartedly. Many experts are converging on this topic and concluding that SaaS companies are actually more secure because security is a core competency within these companies.
The main question about a SaaS vendor as a prospect should be - Is this a well-run SaaS company that takes security seriously?
Here are some simple questions you can ask as you do your due diligence 1) Does the company have a security team/expert 2) Do they complete SSAE-16 assessments, do they get good results, and will they share these results with prospects/customers 3) Do they have an SLA (Service Level Agreement) in place with customers with uptime and support level commitments 4) Do they put their money where their mouthes are if they do not meet SLA uptime requirements (e.g, monthly credits, contract outs for repeated problems) 4) Do they have a disaster recovery plan in place and if so often do they back up data (this drives maximum work lost in a disaster) and how long would it take them to get up and running in a disaster situation?
1
I'd like to add a modifier to the due diligence.
Just because you pass a test or assessment doesn't mean you are prepared. How many malpractice suits are flied against licensed professionals every day for botching what they are supposed to know and perform?
Plans are great starting point, but no disaster is like another and no plan is perfect.
So the question is: Wwhen was the last time they executed their plan, to what level, what was the hotwash results and what was identified as weaknesses and (lots of and's) were the fixes implemented.
Now, did they repeat the processes to see if those fixes worked?
This question is very useful in regards to one dimension of data security. I agree Cloud providers pay attention to security because their reputation depends on it. However, a secure cloud environment does not mean 100% security. Data can leak via other means: employee error or theft (think thumbdrives, smartphones, laptops, home computers containing company data).
It's a good idea to evaluate your internal policies and procedures as well.
The more I read and research this issue, web security is being addressed by the Cloud providers and as the other commenters have stated is better than many (most) user hosted environments. One of the main concerns is Data Security from Cloud Service providers. Key questions to ask include:
Who has access to the environment?
How is your data segregated?
Who owns the data?
What are your rights to your data?
What are the service providers responsibilities with respect to your data?
What are the required notifications?
Security in the Cloud has increased the dimensionality of the definition of "security" to go beyond just protection from external threats (i.e., hackers). It includes aspects that you may have once taken for granted on the internal systems that resided on your own servers or mainframe systems.
Great comments and thought provoking queston.