Is data less secure in a cloud environment?
Online Tech's Senior Product Architect Steve Aiello continues his data security series of videos on data encryption by dispelling the myth that data is less secure in a well-run data center or in a cloud environment.
Actually, data is more secure with a cloud hosting provider.
Does your office have the appropriate level of physical security in place, including:
- Biometric authentication – key fobs, pins and fingerprint readers for access to your servers
- Solid, reinforced concrete walls
- Heat and fire suppression sensors
- Additional locks on cabinets
- Visitor logs
Does your limited technical staff have the ability to:
- Ensure your patches are up-to-date
- Expertise to run enterprise antivirus, anti-malware, file integrity monitoring solution with IDS/IPS solution
- Fully redundant, high availability firewall maintenance
- Expertise to implement encryption in storage arrays
- Know-how to harden operating systems
- Ability to alert in case of anomalies
- Set up web application firewalls
- Set up and configure highly mobile VPNs in a cost-effective manner
Comparing the services of cloud service providers to the man hours and hardware required for an in-house solution, a cloud hosting provider offers more value and expertise at lower costs.
Steven: This myth that if you put your data at a hosting provider, it is less safe, I would say that is not only 100 percent false, but probably the opposite of the truth. Let's just walk up the levels of security. If you have a server sitting somewhere out in your office, it's not really behind locked doors. The janitor could come in when he's cleaning, literally pick up your server and walk away with it. Does your office have the level of security like biometric authentication? Two-factor authentication like a keyfob to swipe, a key card, and a penn, and a fingerprint reader? Do they have solid, reinforced concrete walls inside of their data center? Do they have the types of heat and fire suppression sensors that a data center would have?
Do they have again, additional locks on the cabinet, so even if you have a cabinet in your location, do you have the types of locks and the access controls? Do you have to keep a log of every single person that goes in and out of the data center, or would you keep track of every person that goes in and out of your business door? That's just in the realm of physical security, which is very, very important, right? You just compare those apples to apples. I can put a server in my wash closet at my office, or I can put it in a hardened data center facility.
Then going up the stack. People that are managing these, does your limited staff have the ability to make sure that your patches are up-to-date? Do they have the expertise to run an enterprise-type anti-virus, anti-malware, file integrity monitoring, log monitoring solution, with a very high-end enterprise IDS, IPS system? A single hardware device to do IDS and IPS perse, can run 50 thousand dollars. Then if you need to buy a second one, so that they can be a high-availability pair, you're looking at about 100 thousand dollars, just for a high-availability pair of firewalls. Then you need the technical staffing to know how those firewalls are used, and keep them maintained.
You look at something then, like a storage array, that makes encryption at rest easy for you. You can get something like a simple equalogic storage array, may cost you 15, 20 thousand dollars, but does your staff have the inowledge and expertise to implement encryption on that storage array independently, or do you look to somebody to timeshare a very high-end enterprise class, EMCB mac storage array, that is a yes, 256-bit encrypted at rest? Does your staff know how to harden the operating system and alert you, in case they see anomalies that you may need to investigate, because you know what you're doing on the system? You know what software you have. Does your staff have the ability to set up and manage a web application firewall for you, if you have a web presence, and you're selling something online? Can your staff set up and configure a highly secure mobile VPN for you, either site to site, or as your customers roam, and can they do it for you in a cost-effective manner?
What I would say is, I would look at what companies can realistically do with their staff, with the amount of budget that they have, and what can they do comparatively with a cloud service provider. I think the amount of effort that it takes, and the amount of man hours and operational dollars, starts to really, really pile up, here; especially when you're talking about 50 thousand dollars for one piece of hardware, 75 thousand dollars for a web application firewall, a million dollars for a high-end storage array? The average small to medium-sized business, unless you get into being a Fortune 100, Fortune 500 company, they just don't have the budget for that. If you find a reliable and trusted cloud provider that takes security seriously, it gives you the benefit of those truly enterprise-class products, and the expertise of people that run those products every day. What it allows those small businesses to do, it allows them to turn around and really focus on their customer, and drive more revenue into their doors, which is really what they care about.