Trust – but verify – the cloud

I’m sure you have heard companies promoting “the cloud”.  If you run or manage a business, you have probably also wondered if you should move your data to the cloud.  There are three questions that must be answered by a vendor before you’ll have enough details to decide.

  1. Is data encrypted and secure both at rest and in transit?
    Securing a website address by using https:// is only step 1 of the equation because that same data sent through a website input form travels through many servers once submitted.  Every server and database touched needs to be secured.
  2. Does your vendor have redundant data centers?
    If your vendor runs their own servers, do they have a plan if those servers go down?  Many large vendors will have multiple server warehouses (better known as server farms) spread across the country.  If a server at one location goes down, a cloud based provider should be able to continue business at one of its other redundant data warehouses within minutes if not seconds.
  3. Can you continue business without access to your data?
    Put the worst case scenario in your mind when it comes to going without your data.  If you can’t take a revenue hit being offline for 30 minutes, then a cloud provider may not be for you. On the other hand, you may be okay if you can continue business on paper while you’re systems are offline.  Your paper downtime process will require someone to physically go back and enter data into your systems, but that may not matter to you as long as revenue keeps flowing.

The Details
securecloudKeep in mind that every business will have different requirements.  If you build reports and work out of your house, you can probably stand being out of commission for a few hours.  If you run a physical storefront, every minute of downtime means money lost.  Assuming you need to err on the side of caution and have little ability for downtime, let’s dive into exactly why these questions are so important with a real-life scenario comparison.

Humans get sick when they are exposed to viruses and bugs. Computers are no different. Most computer viruses are no harm until the user mistakenly opens a file that contains a virus.  Once exposed, viruses can create a nightmare. Cloud based systems, Google Gmail as an example, have been developed and made more user friendly over time even containing features that warn users when a virus is present.  Even though the virus is present on a server, Google systems are smart enough to quarantine the virus in a place where you can’t accidentally infect your computer.  These cloud based features can be deployed instantaneously compared to the early days when the user had to manually download updates.  Score one for the cloud using Gmail!

Similar protections are available in many cloud-based forms of software, but the most important fact is the Gmail features many of us have come to appreciate were developed based on user feedback.  The more users, the more accommodations for their preferences.  And the quicker the feedback of new problems (or viruses in this case), the quicker Google can update their software.  That means the previous days of discovering a virus, writing an antivirus update, then waiting for the user to update his or her software are gone.  Some users chose to ignore antivirus updates in the past which ensured a virus infection.  Cloud based vendors can now bypass the whole update process by going from discovery to deployment of required updates within minutes.

Why is the cloud more efficient for most small businesses?
Experts maintain cloud systems compared to Joe Schmoe who stops by a small business once a month to run software updates. And the truth is maintenance on servers can be a pain that most small businesses don’t want to waste time dealing with. In addition to software updates, the small business has to deal with hackers trying to hack their network when servers are run in house.  Network security in a massive cloud data center will be much more secure than most small businesses could ever compare.  And I almost forgot to mention that physical hardware can more easily be stolen from a small office compared to Pentagon-like security at huge data centers like Amazon or Google.

256bit_sslThe one caveat to trusting the cloud is trusting your cloud provider. They must be able to answer details of the following.  If the expert of the company avoid answering these questions, you might want to find somewhere else to do business:

Do they use the highest SSL or TLS for data in transit?
This is a techie way of saying protect your remote data in many ways. For instance, PayPal requires a minimum of SSL 3.0 or higher to use their site.  Your vendor shouldn’t take less than the PayPal standard since they’re required to work with most any PC in the world.  Most website users have become accustomed to making sure a website is secure if they input credit card information, but that same information could be insecure in other ways.  Lets say your website protects a credit card number by using a secure link (aka: the https:// standard protection).  That is great, but it doesn’t protect data once it leaves the website heading for the processing payment gateway.  We’ll refer to this as transfer of data as everything happening behind the scenes.  This is where you need a reputable company with staff that KNOWS THEIR STUFF.  The only way to know – do your own thorough investigation asking about your vendor’s credentials and how many staff they have devoted to security of data.
Do they encrypt data “at rest” in the database?
Your vendor may a secure website address (eg: https://www..), but that doesn’t mean the data stored in the database is secured or encrypted.  The “at rest” terminology just means the data has found its resting place and is not being transferred between servers or network equipment.


What is your vendors action plan if they are attacked?
Depending on the nature of your business, your vendor shouldn’t tell you they plan on shutting down all their servers.  That may have to occur for a few minutes, but the majority of cloud vendors have ways of segmenting their network or trapping the hacker into one zone and continuing business throughout the rest of their network.

 If you are talking to the expert at your cloud provider and he/she cannot answer the above details, you might want to look at switching to another provider.  No answers doesn’t mean they’re a bad vendor, but it does mean your business will probably be offline for a while if the vendor is attacked.  Why?  No experience means that vendor will have to learn on the fly and you don’t have time for that.