Data can be safer in the cloud than on the desktop

As computing moves out of the desktop and onto the internet, worries about security have mounted. If you store data in another company's servers, in the cloud, how can you be confident that it is safe? writes Eran Feigenbaum, director of security, Google Apps.

As computing moves out of the desktop and onto the internet, worries about security have mounted. If you store data in another company's servers, in the cloud, how can you be confident that it is safe? writes Eran Feigenbaum, director of security, Google Apps.

I have just completed a tour in Europe, including stops in Italy, Germany, France, Belgium and the UK, and will soon travel to Spain and Holland to explain the counter-intuitive notion that data actually can be much more secure in the cloud than on the desktop.

Cloud computing, when IT software and services are delivered over the web and through a browser, is a paradigm shift, similar to taking your jewelery out of your sock drawer and placing it in the bank. The bank has the economies of scale. It has guards, robust safes, video surveillance - much more than any security investment you can deploy yourself. The same is true with data.

Cloud providers such as Google are equipped to protect millions of users' data every day. As a customer you get to enjoy these economies of scale at minimal expense. Cloud service providers have some of the world's best security experts helping to make sure that your data stays safe.

It's enough to look at newspaper headlines any day of the week and read about lost data. Data on USB keys, lost or stolen laptops, MP3 players, etc. A report released last year by Credant Technologies found that London taxi passengers left more than 60,000 hand-held devices in the back of black cabs over a period of six months in 2008. Some 55,843 mobile phones and 6,193 other devices, such as laptops, were forgotten.

Businesses dedicate a lot of time and resources to protecting their data. So what goes wrong?

The IT Policy Compliance Group reported last year that human error accounts for three-quarters of all incidents that involve the loss of sensitive data. When I was a chief information security officer for a major financial services company, I used to tell my team, "Make it easy for users to do the right thing, and they usually do."

Employees are generally not malicious. They want to work from home as part of getting their work done. Indeed, today's young employees consider working 9 to 5 and always at the same desk increasingly alien. Allow them to access data anytime and anywhere, while it is still stored and protected in the cloud, and you automatically eliminate many data loss risks.

In fact, this article was drafted in my office in California, edited in my hotel in Europe on a different PC, shared with my colleagues, and now posted from a colleague's laptop. At no point was it emailed, downloaded to my desktop or put on USB stick. It was all done in the cloud and protected by the cloud.

The cloud offers several other important security advantages. Most organisations take 30 to 60 days to install security patches on their systems, which is a major concern in its own right. In fact, many companies I talk to admit it's closer to three to six months to install a security patch.

This means that traditional IT systems and applications are open to known security vulnerabilities for a very long time. By contrast, we run a very homogeneous computing environment, so when it is time to patch we can do it in a rapid and uniform manner to all of our systems.

Finally, there is the question of physical security of our data centres and reliability of our products. At Google we replicate users' data to multiple data centres. If one data centre goes out, our infrastructure helps ensure that the data remains secure and accessible.

While in Europe, some unfortunate news helped prove my point. I was in Milan when a flood swept the country and knocked out several key data centres. Although it affected a number of local businesses, Google customers saw no disruption of service.

Admittedly, no system is 100% foolproof, or 100% secure. From time to time any system will be affected by some security issues. The real question is what people, process, and technologies do you have in place to minimise the impact of these incidents, and how quickly can you respond if anything goes wrong.

We designed our systems with security in mind and have a 24x7 security team looking at new threats and to respond quickly. I'm confident that they address the sorts of concerns organisations have with systems they currently manage in-house. More than 1.75 million businesses have already signed up for our Google Apps suite, and this is expanding by,000 a day.

While in Brussels, I saw that European policymakers are taking note. At least three studies on cloud computing undertaken by the European Commission and its security agency ENISA are in the pipeline, and we also talked about ways to demonstrate to professional and personal users alike how we respect our users' security and privacy.

We are convinced that the future of computing lies in the cloud. Cloud based solutions are cost efficient, collaborative, and, more often than not, more secure to operate.

Read more on IT outsourcing