As computing moves out of the desktop and onto the internet,
worries about security have mounted. If you store data in another
company's servers, in the cloud, how can you be confident that it
is safe?writes Eran Feigenbaum, director of security,
Google Apps.
I have just completed a tour in Europe, including stops in
Italy, Germany, France, Belgium and the UK, and will soon travel to
Spain and Holland to explain the counter-intuitive notion that data
actually can be much more secure in the cloud than on the
desktop.
Cloud computing, when IT software and services are delivered
over the web and through a browser, is a paradigm shift, similar to
taking your jewelery out of your sock drawer and placing it in the
bank. The bank has the economies of scale. It has guards, robust
safes, video surveillance - much more than any security investment
you can deploy yourself. The same is true with data.
Cloud providers such as Google are equipped to protect millions
of users' data every day. As a customer you get to enjoy these
economies of scale at minimal expense. Cloud service providers have
some of the world's best security experts helping to make sure that
your data stays safe.
It's enough to look at newspaper headlines any day of the week
and read about lost data. Data on USB keys, lost or stolen laptops,
MP3 players, etc. A report released last year by Credant
Technologies found that London taxi passengers left more than
60,000 hand-held devices in the back of black cabs over a period of
six months in 2008. Some 55,843 mobile phones and 6,193 other
devices, such as laptops, were forgotten.
Businesses dedicate a lot of time and resources to protecting
their data. So what goes wrong?
The IT Policy Compliance Group reported last year that human
error accounts for three-quarters of all incidents that involve the
loss of sensitive data. When I was a chief information security
officer for a major financial services company, I used to tell my
team, "Make it easy for users to do the right thing, and they
usually do."
Employees are generally not malicious. They want to work from
home as part of getting their work done. Indeed, today's young
employees consider working 9 to 5 and always at the same desk
increasingly alien. Allow them to access data anytime and anywhere,
while it is still stored and protected in the cloud, and you
automatically eliminate many data loss risks.
In fact, this article was drafted in my office in California,
edited in my hotel in Europe on a different PC, shared with my
colleagues, and now posted from a colleague's laptop. At no point
was it emailed, downloaded to my desktop or put on USB stick. It
was all done in the cloud and protected by the cloud.
The cloud offers several other important security advantages.
Most organisations take 30 to 60 days to install security patches
on their systems, which is a major concern in its own right. In
fact, many companies I talk to admit it's closer to three to six
months to install a security patch.
This means that traditional IT systems and applications are open
to known security vulnerabilities for a very long time. By
contrast, we run a very homogeneous computing environment, so when
it is time to patch we can do it in a rapid and uniform manner to
all of our systems.
Finally, there is the question of physical security of our data
centres and reliability of our products. At Google we replicate
users' data to multiple data centres. If one data centre goes out,
our infrastructure helps ensure that the data remains secure and
accessible.
While in Europe, some unfortunate news helped prove my point. I
was in Milan when a flood swept the country and knocked out several
key data centres. Although it affected a number of local
businesses, Google customers saw no disruption of service.
Admittedly, no system is 100% foolproof, or 100% secure. From
time to time any system will be affected by some security issues.
The real question is what people, process, and technologies do you
have in place to minimise the impact of these incidents, and how
quickly can you respond if anything goes wrong.
We designed our systems with security in mind and have a 24x7
security team looking at new threats and to respond quickly. I'm
confident that they address the sorts of concerns organisations
have with systems they currently manage in-house. More than 1.75
million businesses have already signed up for our Google Apps
suite, and this is expanding by,000 a day.
While in Brussels, I saw that European policymakers are taking
note. At least three studies on cloud computing undertaken by the
European Commission and its security agency ENISA are in the
pipeline, and we also talked about ways to demonstrate to
professional and personal users alike how we respect our users'
security and privacy.
We are convinced that the future of computing lies in the cloud.
Cloud based solutions are cost efficient, collaborative, and, more
often than not, more secure to operate.