Knowledge Peers

Over the last few years I've had numerous conversations about the cloud in all its forms with businesses large and small. Having worked at one of the leading Information Security vendors in a previous life, conversations inevitably turn to the security (and associated but not the same, availability) of information. This is where conversations start to diverge rapidly.

With large businesses, with lots of tech. and security savvy staff our conversations are often not about whether their information will be secure per se. For years they have developed and maintained an Information Security, Data Governance, Disaster Recovery policies and strategies and are now primarily trying to identify how to ensure policy a can be maintained for the information that will now be held and/or used in the cloud. The conversation is as much about how to prove policy is being adhered to, both internally and often  to regulators, as it is about the “nuts and bolts” of the security controls themselves.

The more challenging conversations for me though are those with small businesses. I've lost count of the times I've been told that they “don't trust someone else with my data” and “it's safer at home/ in my office with me”. 

For me, it's analogous to keeping your business takings in the mattress because you don't trust the banks, and you can's afford a safe of your own!

Do you Own A Safe?

If you had in-house IT staff, a data centre, off-site back-ups and disaster recovery. If you had an information security strategy, authentication and encryption, and myriad other controls over your sensitive data, and a Network Operations Centre watching over all of that then, in my analogy, you've got yourself the equivalent of a decent safe.

You've built a stronghold in which to keep your information, you have controlled access to who can get access to it, and, assuming you have one of those fancy safes that can withstand fires, explosions, and the advances of all but the most advanced thieves, you're protected from most physical threats that could render your information lost, breached or unavailable. It's a good solution, but it's expensive, and it's out of the reach of most small businesses

A Bank

What if you handed much of the responsibility over to people that make handling all of these issues their reason for being? For whom data loss and data breach could be as serious for them as it is for you. To an infrastructure that removes your reliance on ANY of the physical infrastructure in your home or office in order to deliver business continuity? This is what we do every day with our money – we place it in the hands of a service that can protect it and deliver it back to us, on demand, as required. Indeed more than that, as our businesses have grown, we become more reliant on the bank for providing this service, not less. Let's also not forget that the vast majority of “money” in the system is in fact digital itself – zero's  and noughts held in data centres...

Small businesses do not have in-house expertise. Doing back-ups each night and buying a “really good” server does not protect you from them being stolen. Your security defences will be weak at best to any but the most novice of hacker. Even if you do save the backup disks from a fire or theft, can your business survive long enough for you to replicate the physical infrastructure and software applications to restore them to?

So I ask you, if you're a small business who can only afford a mattress, where do you think your data is better protected?

Footnote:

OK, what about the current state of the banking industry I hear you cry? True, there have been issues of late, but I contend the analogy still holds true. You still own your data, as you still own the money in your bank account. You should chose your cloud provider as carefully as you choose your bank, and you should ensure portability of your information between them. Any which way, it's still in better shape than stuffed your mattress..

Andrew Moloney, Managing Director, Artisan Southwest Consulting

BIO:

Before launching his own consulting business in early 2011, Andrew Moloney served in a variety of marketing and business development positions at RSA Security, which became part of EMC back in 2006, ultimately serving as RSA’s EMEA Director of Marketing, and one of key spokespeople at EMC on the broader impact of Cloud Computing.
Now based in the Blackdown Hills of Somerset he practices what he preaches, using the cloud to enable him to operate all facets of his business. Find out more here.