High-level speakers at Tuesday's SC Congress took a highly pragmatic view of the mass user migration to cloud services – suggesting that reluctant security teams should embrace the cloud, so they at least know where their data is held, rather than have dozens of unsanctioned cloud repositories.
But the audience also heard that cloud vendors can be much more advanced than in-house teams in security knowledge, and companies can benefit from cloud because they finally find out “what data they have and where it is.”
Session speaker Thom Langford, director of Sapient's global security office, said: “Companies are having to shift to cloud because users are demanding it, not because it's part of the IT roadmap.”
He said cloud is spreading organisational data “to the four corners of the earth. Therefore the savvy companies are actually embracing the cloud in order to bring [data] into one known location rather than many different locations.
“They don't really want to embrace it but they don't really have much of a choice. It's better that they know where the data is, even if it‘s in what they might consider to be less secure, than if it's in 25 different locations where they have no accountability whatsoever."
Matthew Tyler, CEO of compliance specialist Blackfoot, agreed that corporates “are reluctant to let go” and move into cloud services.
But he said the key questions around cloud are: “Do you know what information you have and where it is? I've yet to meet a company, apart from start-ups, that can answer those two very very simple questions.
“So you could look at adopting the cloud as a way of understanding where your information is and what information you've got.”
In that way, cloud can be used by companies to clean up their processes, he argued.
Nick Ioannou, head of IT at Ratcliffe Groves, agreed that for SMBs like his firm: “It's more secure in the cloud and it has much higher resiliency and redundancy than anything we could afford.” But he said one big issue is the longevity of cloud providers.
Quentyn Taylor, head of information security at Canon Europe, told the SC Congress audience that using cloud securely is “all about risk management and having a mature attitude to risk, understanding what the risk profile is and deciding where and what to run.” Moving into the cloud, he said, often means companies take a more “risk tolerant” approach.
The speakers also advised on how companies can identify the right cloud vendor. Ioannou said: “I look at their customers and if they've got more to lose than me, then they've done their due diligence.”
Other advice was for cloud purchasers to simply ‘Google' cloud vendors and so research their customer base and financial background, and to speak to the vendor's security team to assess their competence.
The speakers also warned of the dangers of cloud. Longford said cloud should be referred to as “using someone' else's computers” - and companies should necessarily be cautious about that. “Someone else's computers” may be better or worse than yours, he said.
In terms of cloud service level agreements, Ioannou they serve a purpose but companies have to plan for when things go wrong. An SLA, he said, “isn't going to help you when you are explaining to your board why they can't work”.
Langford agreed. “Trust the cloud but always have a Plan B because something will go wrong,” he said.