Data storage in the cloud has become a mainstay for companies in all industries of all sizes. Yet as more and more valuable data moves to the cloud, how can businesses stay one step ahead of the security risks?
The 2017 State of the Cloud Report, published by the Santa Barbara, Calif.-based cloud-computing provider RightScale Inc., shows 95 percent of businesses make use of the cloud in some form.
There are reasons why the cloud is an appealing place to store data. For one, a third-party provider has a broader perspective of cyberthreats that can help protect your business, said Dan Shugrue, director of product marketing at Akamai Technologies Inc., a Cambridge, Mass.-based cloud-service provider.
“Let’s say you have an e-commerce site and prefer to touch your data yourself. You can be excellent at your job and notice when the latest threat comes in and take measures to block it,” Shugrue said. “But you can’t see who is threatening other companies in your industry, and you can’t put protections in place before they strike.”
Then there is the cost incentive. Consumer-grade cloud storage, such as Google Drive or a basic Dropbox account, comes free of charge.
“I see a lot of small companies…using cloud storage because it keeps your overhead down real low,” said Mark McLarnon, chief technology officer of CyberPoint International, a cybersecurity firm based in Baltimore. “You’re pushed, you’re almost enticed to use things like (Microsoft) OneDrive. Even with the free versions, you get a lot of storage. But what’s overlooked is the risk of unauthorized access.”
Aaron Newman, co-founder and CEO of CloudCheckr Inc., a software firm based in Rochester, does not see the exodus of businesses moving to the cloud as a passing fad.
“It’s an undeniable movement that people are going to move to the cloud,” he said. “In 10-20 years from now, 90 percent of the data, 90 percent of all computing resources is going to be in the cloud. Anyone that’s putting up a new service or application today, it’s all done in the cloud.”
What are you storing?
The consumer-grade technology tends to be free, but users are paying for it with a lack of privacy, said Donald Spicer, associate vice chancellor and chief information officer of the University System of Maryland.
“If you have a consumer-grade Google account, there is no limitation about what Google is able to look at within your private account. None of that is true when an enterprise pays for a service. It’s all protected, and it’s quite a different service,” he said.
For that reason, upgrading to a paid cloud provider is worth the investment for many businesses because you are more likely to keep your data safe from competitors or other intruders, Spicer said.
While there is still on-premise data storage on its campuses, the University System of Maryland does rely heavily on the cloud. For example, it has moved to software-as-a-service solutions for its human resources and financial functions, Spicer said.
Data stored in the cloud is secured by a variety of measures. For example, data has to be encrypted both in transit and at rest to prevent unauthorized access. The university system also has a cybersecurity council with representation from all its institutions.
CloudCheckr’s Newman believes businesses need to think of the cloud as secure. The problem is many businesses do not.
“You’re much better off putting your data in the cloud,” he said. “If you’re putting your data on a (cloud) system like Salesforce.com or some other system, those vendors are very diligent about fixing security holes. You’re never going to have perfect security … you still have threats—they’re just way more diligent about it.”
“I think moving to the cloud actually makes your stuff more secure,” he added.
Ultimately, especially for institutions with personal or confidential data to protect, it is important to stay on top of which setting is safest. That is the approach followed by Jefferson Health in Philadelphia.
“Being in health care, we have to really look at the sensitivity and criticality of some of the data,” said Robert Dalrymple, director of information systems and technology security and enterprise information security officer for Jefferson Health and Thomas Jefferson University. “Some data and information, we may not want to have in the cloud, although we can have private and dedicated cloud situations. It’s probably going to be a hybrid final state here.”
Where is the data?
For managers contemplating the cloud for the first time or wanting to upgrade from a free account, what are some important questions to ask prospective providers?
First of all, know where the data will be.
“We have an obligation, if we have protected information, to know where it is stored,” CyberPoint’s McLarnon said. “The internet connects us in ways we don’t always grasp. We could be storing a file with a cloud-storage provider and it might be replicated in Oregon, Ireland or Eastern Europe.”
He also recommended making sure your provider requires multifactor authentication to access your data. That means anyone looking for access has to provide multiple pieces of evidence to confirm their identity, such as typing in a password and identifying a security image.
Another important question concerns micro-perimeters around the data, said Brian Vecci, technical evangelist at software company Varonis Systems in New York City. “Micro-perimeters are the equivalent of placing a wall directly around the data itself. … (They) restrict access on a need-to-know basis and monitor and alert on all usage for unusual behavior. The idea is that a cybercriminal can and will scale the walls of a castle, so let’s put the crown jewels in a locked safe within a locked room that is monitored 24/7.”
Then there is air gapping. This is the practice of making sure that there is a physical barrier between unsecured public WiFi networks and the place where your data is being stored.
Some cities are not adapting to the cloud as fast as others. Rochester in particular is lagging behind in implementing the cloud, Newman said.
“Rochester for 100 years was one of the innovation capitals of the world in everything from digital, optical, medical, research and even beer (industries),” he said. “Definitely in the cloud world we’re lagging behind. If you go to one of the big cities they’re much more proactive about moving to the cloud.”
With top technical universities such as Rochester Institute of Technology and the University of Rochester, the city should stay relevant in terms of cloud computing, Newman said.
“There’s definitely people doing it; we’re just not as advanced as some of the other areas. But we should be,” he said. “We have just incredible universities here so we really don’t have an excuse not to be.”
Today, cloud usage is already near-universal in the business world, and that trend shows no sign of reversing. “More data will move to and pass through the cloud as costs go down and functionality goes up,” Vecci said. “The companies that will be ahead of everyone else will be the ones that leverage unified data-security platforms for connecting cloud and on-premise systems into a single framework.”
(c) 2017 Rochester Business Journal. To obtain permission to reprint this article, call 585-363-7269 or email firstname.lastname@example.org.