Two things that we get asked about a lot is Security and Privacy in the cloud. Some businesses are concerned about adopting a cloud approach as they think they’ll lose control of their data when it’s not stored on servers they can see and touch. Although usually an initial concern, with the necessary due-diligence, organisations are actually considering moving to the cloud to gain the additional security benefits it offers.
Let’s take a look at some of the security concerns involved with hosting your data on-site:
- Companies have multiple operating systems, each with different versions - each requiring different security patches
- Most companies take 25 to 56 days on average to deploy an OS patch - meaning you are vulnerable for the time in between
- Companies spend more than $2 billion annually on patches - when you could just benefit from the economies of scale of a cloud service provider
- While you’re working on deploying your patch, other people are working on reverse engineering and gaining access to your environment...
That begs the question “Is my data safe on premise”?
Did you know:
- 60% of corporate data resides unprotected on PC desktops and laptops?
- 1-out-of-10 laptop computers will be stolen within 12 months of purchase?
- 66% of USB thumb drive owners report losing them, over 60% with private corporate data on them
In the cloud, things are different. For the first time, consumer technology is more powerful than enterprise technology. The real security issue with cloud computing is assessing the security of your cloud vendor.
There are currently no real cloud security standards. This means that companies don’t know what it is they need to be looking out for in a solution, and different vendors end up using different technologies.
There is also no standard cloud certification. How do you benchmark the ability of each of these vendors? Most won't even let you audit them!
Let’s look at some of the security functionality that Google provides on their cloud platforms, and see how it compares to on-premise solutions:
Going cloud with Google | Maintaining On-premise | |
Two Step Authentication
|
This is a built in feature of Google Apps similar to the OTP features provided by internet banking, and can be enforced to your users based on OU. It is free and easy to setup and manage.
|
With On-premise, your best bet would be to use a third party tool to accomplish this (e.g Vasco OTP, costing anything from $100 - $100k)
|
Apps Development Security
|
Google uses a rigorous code development process. All code is subject to review, and all projects go through a security review as well. Google have tools they use for vulnerability testing before deployment, and they are constantly refreshing the tool.
|
Rigorous testing and risk assessment need to be done on new patches by your own team (who might be multi-tasking other projects at the same time)
|
GFS = Google File System
|
Google have their own files system called GFS. With GFS, files are split up and stored in multiple pieces on multiple machines. Filenames are random (they do not match content type or owner). There are hundreds of thousands of files on a single disk, and all the data is obfuscated so that it is not human readable. The algorithms uses for obfuscation changes all the time.
|
There aren’t many choices, and most opt for the standard file system included with your server OS. This offers little to no security in this regard.
|
Physical and Personnel Security
|
Google has dozens of data centers for redundancy. These data centres are in undisclosed locations and most are unmarked for protection. Access is allowed to authorised employees and vendors only. Some of the protections in place include: 24/7 guard coverage, Electronic key access, Access logs, Closed circuit televisions, Alarms linked to Guards stations, Internal and external patrols, Dual utility power feeds and Backup power UPS and generators.
|
Your physical security is limited to what you have in your building. Not to mention the necessary requirements to ensure your DMZ and LAN is secure.
|
As you can see, Google’s Security model has a lot to offer. With Google, security is a chain, and all layers matter.
The bottom line is that sure, you can maintain an on-premise solution, one that you will be able to see and touch. You are responsible for it 100% and try as hard as you want, you won't be able to maintain an on-site system as securely and efficiently as Google can theirs. Are the layers that you put in place and maintain (along with all the other IT projects you run), going to be better than the security layers offered by a specialist cloud computing provider? The answer to that question depends entirely on the network, resources and skill you have in place. If you don’t have the resource and budget to maintain the security levels required then a cloud solution could suit you perfectly.
