nobeastsofierce - Fotolia
An attempt by Google’s Greg DeMichillie to allay enterprise concerns about cloud security appears to have backfired, with many reacting angrily to his assertion that on-premise stored data isn’t as secure as most people think.
Speaking at a conference hosted by the search giant in London on 23 June 2015, DeMichille, director of product management for the Google Cloud Platform, said enterprises that favour on-premise storage over using its cloud because they perceive it to be safer have things the wrong way round.
“There was a time when security was the reason not to move to the cloud, but with the Home Depot, Target, Sony Pictures and the United States government’s Office of Personnel Management breaches, customers are realising it's more secure in the cloud with Google than by yourself,” he said.
This is because, he claimed, Google has more than 500 professional security researchers focused on finding and resolving bugs in its systems, which is more than can be said for the average enterprise.
“We build our own machines and design our own hardware and software specifications. This minimises the attack service because you can’t go and buy a Google server, set it up at home and probe it for vulnerabilities,” he said.
“All of that is our way of saying, if you thought you couldn’t use a cloud platform because of security, you have it backwards. Being on a cloud platform will actually make you more secure,” he added.
Cloud versus on-premise
However, several industry watchers have indicated to Computer Weekly that what DeMichillie’s assertion fails to take into account is that users need to trust the cloud company they’re handing their data over to – and, in Google’s case, it seems a few have misgivings.
For example, Mark Hall, public sector director of UK-based cloud provider Redcentric, said one problem is that it’s not clear where the data a user may choose to move to the Google cloud is actually being stored.
“DeMichillie’s comments that an organisation’s data is safer in Google’s cloud than on-premise doesn’t go anywhere near answering the real issue with using its cloud service – that of data sovereignty,” said Hall.
“Once in the Google cloud, you have no idea where your data is. You don’t and won’t know when it’s being moved as Google looks to ensure that data is stored efficiently and regularly shifts data from one location to another to maximise resources,” he added.
It’s this approach that could potentially cause problems for users, Hall said, as there is a risk their data could fall under the jurisdiction of another country with all the shifting around.
Another concern, aired by a Computer Weekly reader, was that a company the size of Google is likely to be a top target for hackers, despite its assurances about the security resources it has in place to protect its platforms.
“I have no doubt Google will have better security resources, but it will also be one of the top companies in the world on that target list,” the reader said.
“And, due to its scale, [Google] will presumably have a lot more moving parts to secure and potential areas of weakness than a typical small to medium-sized enterprise would have, almost requiring 500 security people to keep it all secure,” the reader added.
Computer Weekly contacted Google about the aforementioned points, but was directed to a whitepaper detailing the security precautions the company takes with its Cloud Platform, which largely echoes many of the points made during DeMichillie’s keynote.
Cloud security: Who’s liable?
ESPL-Regulatory Consulting, a Shetland-based firm that advises the pharmaceutical industry on European compliance matters, is resolutely anti-cloud.
The company’s IT director Tony Erwood said the nature of the industry his company serves makes it almost impossible to use Google’s cloud services, from a regulatory standpoint.
“We would require Google to fully indemnify us against any and all claims of any sizes by our clients resulting from theft of their data from Google's servers. We would also require Google to fully cover all of our legal costs relating to such claims without question,” Erwood said.
According to a report by IT analyst house Forrester, this is something that would be difficult to achieve because when a company moves customer data to the cloud, it’s still their responsibility to protect it, rather than the provider’s.
“If your firm uses cloud services, you are still responsible and liable from a legal perspective for protecting your customers’ data. It’s not the cloud provider’s liability,” Forrester’s Market Overview: Cloud Data Protection Solutions report states.
“Your auditors know this too. Particularly in regulated industries, such as banking, healthcare and the public sector, you can expect to see auditors raise significant concerns about protecting data resident in cloud workloads.”
The Forrester report also cautions users again relying solely on the security offered by their chosen cloud provider when locking down their data.
“Security and risk professionals are still responsible for the security of IaaS [infrastructure as a service] and SaaS [software as a service] workloads: The location of the workload, whether in the cloud, hosted or on-premises, is irrelevant,” the report added.
“Relying on the cloud provider’s security or attempting to determine their security posture through cloud security checklists is rarely sufficient,” the report continued.
In light of this, maybe the question of what’s more secure – on-premise or cloud-stored data – is a moot point. After all, no matter where it’s stored, liability lies with the company that chose to keep data on-premise or move it to the cloud in the first place.
Read more about cloud security
- Google hits out at users that continue to cite security as a major barrier to public cloud adoption, claiming their data will be safer there than on-premise.
- Skyhigh Networks' European cloud adoption report flags concerns about how much insight IT has into what employees do in the cloud.