« Back to Facilities Management News Home
April 19, 2016 — The following article, posted on Eaton's The Plug, was written by Susan Fourtané, a science and technology journalist.
One of the greatest IT myths revolves around cloud security. The fact is, the cloud is as secure, or insecure, as traditional on-site systems. In recent years, though, business applications and processes have consistently been moving to the cloud for a number of reasons. Some organizations have understood that security is not better or worse in the cloud, but different.
Unfortunately, a series of misconceptions about cloud security, mixed with an unhealthy dose of assumptions on how an enterprise can better protect its information using in-house storage, has led several organizations to miscalculate risk assessment. The result has been a resistance of some businesses to move their data to the cloud.
According to a white paper by cloud service provider INetU, there are five common security myths floating around the cloud, as listed below. In an interview, Karla Marciszewski, network security specialist for Cuyahoga County, Ohio, offered her view on each one:
• The closer you hold the data, the easier it is to protect it: For Marciszewski, it is not easier. She notes that in the ever-changing environment, the norm seems to always be one step behind and reacting to threads rather than proactively inhibiting them. For her, security is both simple and complex: "simple in that you have one task: Protect your assets that would include your data, your network, and proprietary information; complex in that the depth and complexity of the threat environment makes it virtually impossible to be 100 percent effective 100 percent of the time," she says. "It's not a matter of if, it's a matter of when, and how much you can mitigate the damage. You have to remember that cloud is just a word for the data center belonging to someone else."
• Cloud environments make compliance difficult: According to Marciszewski, what is difficult is to ensure compliance.
"Your SLA with the cloud provider can spell out all the compliance measures the provider must adhere to," she says. To make sure they are actually doing it due to being short of having on-site visiting privileges and auditing privileges, "you might consider having severe penalty clauses for non-compliance or missed-compliance. But you still need a means of determining whether or not they have met your compliance standards."
• Physical custody of IT infrastructure better guarantees physical security of those assets: Marciszewski says there are no guarantees to protect something, even if you can control it.
"All you can do it prepare, defend, and protect as best you can, and have a plan in place in case the worse-case scenario happens," she says.
She recommends stronger encryption standards. Unfortunately, encryption comes with a cost that companies seem unwilling to pay, namely "the impact to the network as it decrypts your data at rest, encrypts it for transmission, decrypts it for use, then reverses the processes again. There has to be a way to protect that data without such a huge impact to the network. While hardware encryption exists and is much faster, it is still prohibitively expensive for most companies."
• When you put data in the cloud, you will never know where it is being stored: While this is true as far as it goes, this is easily addressed by the SLA, says Marciszewski, who adds that requiring dedicated servers in a specific location increases the cost exponentially.
• Access control is easier to employ on-premise than in the cloud: According to Marciszewski, this is always going to be easier.
"Even though you can control access of your employees, you can't control access by the cloud data center employees controlled by the provider. That's one reason why the recommendation is to encrypt your data."
To conclude, Tom Nolle, president and CEO, CIMI Corp., summarizes by saying that "the biggest difference between cloud security and security today is that in the cloud you don't have physical/facilities security, so you can't take for granted the notion that the data center resources and network won't be hacked. While having physical custody of infrastructure doesn't guarantee security, not having it guarantees that any security mechanism based on the presumption of physical security will be questionable."
