Cloud security today
Managing data security in the cloud is one of the more problematic challenges CISOs face today. David Feldman, CEO of PineApp, talks with John Rollinson, director of sales at Data Shepherd, a provider of online backup, hosted services, and cloud services based in Manchester, United Kingdom.
David Feldman: When it comes to cloud-based applications, what challenges do your customers mention to you as being the most important to them?
John Rollinson: Our customers are facing several challenges when deciding on whether or not they should use cloud-based applications. Many of our customers worry about if their cloud solution will be secure enough to meet their regulatory requirements or their insurance requirements. They still think that because the application is run on their site that it is more secure than a cloud solution. This is not the case as most reputable cloud solution providers will spend a great deal more time and money making sure that their security is kept up to date and is generally of a higher level than can be achieved by the customers' budgets.
Other challenges include dependency and vendor lock-in, downtime and connectivity, and limited control and flexibility.
DF: Cloud applications are ubiquitous in the United States but have been slower to be adopted in Europe. What trends are you seeing to the adoption of the cloud in the UK?
JR: While the UK and Europe were initially slow to adopt cloud solutions, this is now starting to change, in large part, due to the following reasons: Cost efficiencies, convenience and the need for high availability, backup and recovery, resiliency and redundancy and scalability and performance.
DF: Basic productivity applications in the cloud, such as Office 365 and data storage, are becoming much more popular. How is this trend impacting your customers and by extension, how the cloud is being used in the UK?
JR: Hosted Exchange and online data storage are becoming more popular in the UK. This has allowed the customer to get used to using cloud solutions and to start to trust that not all solutions need to be on site. But UK customers are still are reluctant to allow all of their services to be placed in the cloud. We are seeing that while significant advantages can be made by placing certain solutions in the cloud most UK customers are reluctant to place business critical systems on the cloud. It is our role to educate and email is often on of the first areas that the conversation begins in.
DF: What information security expertise (business continuity, disaster recovery, and the like) can you offer small to midsize enterprises that they might not be able to accomplish on their own?
JR: Information security is the basis for all our solutions.
• Advanced, secure email solutions
• Encrypted online backup
• Secured hosted environments
• Web assets protection
• Network access control solutions and management solutions
• Proactive cyber-defence solutions
• Audits and surveys, penetration testing, APT, DDOS
• Cyber-forensics and response team
• Training and awareness courses.
DF: When you are talking to prospective customers who have no or very limited cloud computing experience, what kinds of questions do they ask or what kind of common misunderstandings do they have about using the cloud for business applications?
JR: Nowadays, because the media provides so much information about the cloud we have the expectation that most people will have some understanding of what the cloud is, how it operates and how it is used. The most common misconception is that if you have your data serviced by a public cloud, others using that cloud can access your data and you will also be more vulnerable to attack from others utilising the same public cloud. An additional question rising in many of the meetings is that the cloud is more vulnerable to outside threats than an alternate service delivery environment. This is of course not necessarily true. Every solution chosen, cloud or on premises, needs to be secured adequately.
DF: For many small to midsize enterprises, a common refrain is that they do not think they will be targeted by attackers because they are too small or that they do not have data that would be of interest to anyone else. For companies that have such views on data security and potential breaches, how do they view the capabilities that a managed services provider or managed security services provider can offer?
JR: In the not too distant past information security was viewed as something only enterprise-level organisations should be worried about. We expect to see major growth in this area and the largest growth is expected in the SME area. Unfortunately, today most of the time that we engage with a new customer, regardless of size, it is after they have been the victim of some type of online attack – often the result of compromised email security. What's more, I think the fact that insurance companies are now starting to ask questions about how companies secure their data is getting SME's to reflect much deeper on the very real risks and consequences of a data breach. It is our role to provide customers with the information they need to make informed decisions but without scaring them witless. Cloud security awareness is growing in the UK, and SME managers are driving a lot of our conversations. These managers are recognising that as more and more of their core business applications (email, etc) are delivered from the cloud, they want more and more assurances that their data is secure.