When you consider developing new applications for the Cloud - or consider migrating existing apps to the Cloud - you’re probably starting to think about the security of your application's data. There are many “myths” around this particular topic and many skeptics that use them as a safety blanket to stay away from putting applications in the Cloud.
IT In Canada’s Mary Allen just posted a great interview with John WeigeIt, Microsoft Canada’s cloud policy expert and national technology officer, entitled Patriots and PIPEDA – locating security and privacy in the cloud. In this article, they discuss the various aspects of data security and privacy that are people’s minds. I highly recommend reading the article even though there’s no code; take some notes so that you’re armed and ready with information when someone asks you what you think about security and privacy in the Cloud. Here are some key points to take away from the interview:
- The location of the data is not what’s important. it is where control of that data resides that is important. (Page 5)
- The focus of the security and privacy discussions should be around safeguarding your information and what you’re doing to secure it regardless of where it is hosted. As WeigeIt says: What you need to consider is the security of that environment. There are local tools that you can use, such as encryption, but you should consider what information you have, which tools should be applied, and based on the sensitivity of the data, whether or not this should be hosted outside the organization. (Page 8)
- Cloud solutions are not black and white. Cloud solutions are not "all in" or "not in at all" (I have heard this one from some architects and IT professionals). Your applications can be a mix of Cloud and on-premise. WeigeIt believes that “you can divide up your particular services and use cloud in an innovative way that allows you take advantage of cloud scalability while protecting privacy.” (Page 8)
- The “Cloud” is not necessarily a public cloud. The same principles that make up the public cloud can be applied to create a private cloud: The last piece is that people can bring cloud philosophies into their own data centres. And by making their own operations more efficient, they can have better control, better line-of-sight visibility into their data and their own operations. They can harness some of those efficiencies that we are able to scale out on the cloud side – and we can provide guidance on how to do that as well. (Page 12)
- For those who are concerned with who controls the data and who has access to it – even though it’s in the Cloud, it’s still your data and it’s kept safe: You do maintain tight control over your data, we are able to provide you with information about your data, and access to it is automatically audited by third party systems, so there is tight control over the data that you ask us to safeguard on your behalf. The SLAs that small businesses enter into with us would describe specifically what their permissions and their controls are. (Page 9)
- Some feel that if data is local, it’s safer. Applications and data are specifically put online to remove geographic boundaries, so if the data is accessible from an online application, is the data still local? WeigeIt puts it nicely: Another misperception in this view of cloud risks is the notion that if I have my machine, my computer server local in my environment, then it is safer than if I have it remotely in the closet (or elsewhere). If you have your server connect to the Internet, then it is local to whoever is trying to use it. (Page 11)
To summarize, in order to make the right decision whether “To Cloud or Not To Cloud?”, it’s important to go past the myth and preconceptions and dig deeper to discover what is relevant to your specific application. You will then be in a position to make a fact-based decision.
Stay tuned for more myth busting interviews, information, and resources that will help your “To Cloud or Not To Cloud?” discussions and decisions.