In the classic movie Jaws, there is a scene where Chief of Police Brody informs the scientist (Hooper) that he doesn't know how to swim.
Hooper: "You live on an island and you don't know how to swim?"
Brody: 'It's only an island if you look at it from the water."
I was reminded of this during one of the sessions at the recent ILTA conference. I heard someone say, "I don't want anything to do with the Cloud. I don't trust it". Hmm. if your firm's network is connected to the Internet, even if all you're doing is receiving email, then not only do you have something 'to do with the Cloud', but, in reality, you are part of it.
I understand that most people, when speaking of the Cloud, are referring to the specific types of services such as Office 365, document management, and other hosted applications that are available on the Internet and not just referring to the connection to the outside world. But at the heart of it, Hooper and Brody were discussing apparent risk, and for most firms this is the core issue when it comes to the Cloud.
Your data is not safe because you can walk down to the server room and put your hands on the spinning drives where it resides. (I wouldn't recommend this, either!) Most of you reading this are familiar enough with the core functions required to protect data: encryption, firewalls, and intrusion detection, to name a few. Data is safe because it has been surrounded by the proper safeguards - wherever the data happens to reside. Consider, for a moment, that some Cloud vendors just might do an excellent job with security, and some might be able to do more than you currently are able to accomplish with your current resources.
I am not suggesting that data is automatically safer if it's in the Cloud, but I am suggesting that it might be. I'm also not suggesting that all Cloud services are created equal. Some are inherently insecure. Choose wisely.
In your on-premise environment, are you encrypting data at rest? Are you monitoring all suspicious activity in real time, 24 hours a day? Do you have a fully implemented and tested DR plan? If you can answer yes to these and other typical security questions, then the Cloud may not offer security benefits and reduced risk for your firm. If, like many firms, you have limited internal resources and constantly struggle to stay on top the latest threats, understand that the Cloud can actually improve your overall security posture.
For example, if your firm is impacted by any of the new regulatory requirements such as HIPAA / HITECH, then you know that one of the requirements is to protect Personal Health Information (PHI) at rest and in transit. Further, you know these regulations stipulate specific types of encryption that are deemed acceptable. You can build systems internally to meet these requirements, but you can also choose from several HIPAA compliant document management and/or file sharing services that can do this for you. In one step, you provide better service to users, lessen the burden on internal IT staff and resources, and improve security.
Cloud services can be more cost effective, more scalable, and lessen the burden on internal IT resources. But these benefits don't automatically require increased risk.
For my own firm, I believe that every Cloud service we currently use has improved our security and our DR/BC capability. My server room is getting smaller and cooler, while at the same time I am able to provide better and more secure services to my users.
I think I’ll go for a swim.