For years, companies have regularly asked me for my opinion on using cloud-based services. For the longest time, my response was one about, “You should investigate what types of services might fit best for your business,” followed by a selection of caveats reminding them about privacy, risk, and compliance, since their information will be stored off-premises.
But I’ve decided to change my tune.
Beginning now, I’m going to simply start telling them to use cloud where it makes sense, but use the same procedures for privacy, risk, and compliance that they use on-premises.
See what I did there?
The problem is that we’ve treated hosted services (née cloud) as something distinctly different from the way we do things on-premises. But… is it really? Should it be?
It’s hard to find a company today that doesn’t do some form of outsourcing. You’re trusting people who don’t work “for” you with some of your company’s key secrets. Every company I can think of does it. If you don’t want to trust a contract-based employee with your secrets, you don’t give them access, right? Deny them access to your network, key server, or files shares (or SharePoint servers<ahem/>). Protect documents with things like Azure Rights Management. Encrypt data that needs to be protected.
These are all things that you should have been doing anyway, even before you might have had any of your data or operations off-premises. If you had contract/contingent staff, those systems should have been properly secured in order to avoid <ahem/> an overzealous admin (see link above) from liberating information that they shouldn’t really have access to. Microsoft and Amazon (and to a lesser extent at this point), have been putting a lot of effort into securing your data while it lives within their clouds, and that’s going to continue over the next 2-5 years, to the point where, honestly, with a little investment in tech and process – and likely a handful of new subscription services that you won’t be able to leave – you’ll be able to secure data better than you can in your infrastructure today.
Yeah. I said it.
A lot of orgs talk big about how awesome their on-premises infrastructure is, and how uncompromisingly secure it is. And that’s nice. Some of them are right. Many of them aren’t. In the end, in addition to systems and employees you can name, you’re probably relying on a human element of contractors, vendors, part-time employees, “air-gapped” systems that really aren’t, sketchy apps that should have been retired years ago, and security software that promised the world, but that can’t really even secure a tupperware container. We assume that cloud is something distinctly different from on-premises outsourcing of labor. But it isn’t really that different. The only difference is that today, unsecured (or unsecurable) data may have to leave your premises. That will improve over time, if you work at it. The perimeter, like that of smart phones has since 2007, will allow you to secure data flow between systems you own, and on systems you own – whether those live on physical hardware in your datacenter, or in AWS or Azure. But it means recognizing this perimeter shift – and working to reinforce that new perimeter in terms of security and auditing.
Today, we tend to fear cloud because it is foreign. It’s not what we’re all used to. Yet. Within the next 10 years, that will change. It probably already has changed within the periphery (aka the rogue edges) or your organization today. Current technology lets users deploy “personal cloud” tools, whether business intelligence, synchronization, desktop access, and more – without letting you have veto power, unless you own and audit the entirety of your network (and any telecom access), and admin access to all PCs. And you don’t.
The future involves IT being proactive about providing cloud access ahead of rogue users. Deciding where to be more liberal about access to tools than orgs are used to, and being able to secure perimeters that you may not even be aware of. Otherwise, you get to be dragged along on the choose your own adventure that your employees decide on for you.