Across the multiple LinkedIn Groups, Twitter and Facebook pages, and on the blog itself I have been humbled by they fantastic and vigorous debate that the blog’s posts generate. It is clear that amongst the Business Community there is a real need to understand what Cloud Computing really means to your Company and to your bottom line. When we are able to forget about the technology, and start thinking about what that actually enables us to do then the true excitement starts – remote working, disperse teams working on a single document, sales people able to cut out “admin day”, MD’s being able to chase up debtors in realtime, IT teams being able to align with the business strategy.
There have also been some common themes in the comments, where there are natural concerns around what it means to a business to have their applications running outside of their network:
- What if my internet connection goes down?
- How secure is my data/what are the legal implications?
Today, I want to spend some time on the second point. I want to try and differentiate between two words, that in the ‘old world’ meant the same thing, but in the ‘new world’ actually mean the opposite – Control and Security.
When you run your applications in your own network, and in your own office, you have control. You can see the boxes. You can see the light is on and hear the fan. Perhaps you are not happy with them under a desk so you buy a server cabinet, perhaps as your rack of hardware grows you dedicate a cupboard or small room to it. You provide a combination lock for the door and install some CCTV to the building. You have RedCare on your Phoneline. You add a redundant Exchange server in case the first one goes down. You have a back-up tape system and take the tapes home every night (or try to). You have a security guard who patrols the business park. He keeps an eye on things at night.
“I have control. I have security.”
In a Cloud environment when you add a new contact record into Salesforce the data is stored…….somewhere on the internet. When you send an important email through Google Apps the record of it is…..I’m not sure. When I add in this month’s invoices in Xero they are all kept…….oh dear me!
“I have no control. I have no security.”
What are your responsibilities towards data?
But this is incorrect. Have a think about your personal bank account. We all hear mythical stories of the man who kept his money under the mattress, because he knew where it was, and he had control. He felt it was more secure. But you and I know that our money is much more secure in a bank. After all – they are not just looking after our money, they are looking after billions of pounds worth, and therefore their security will be much greater than my Yale lock on the front door. More so, because they look after so much money, they can afford to provide much better services to clients than my mattress could provide. Interest for a start, Cash machines so I can access my money anywhere, and because banking is a cloud model (i.e. my money isn’t held in my branch) I can use internet banking from any connected device to manage my funds and pay my bills.
When we look at Google and Salesforce as two of the leading Cloud providers we need to do our due diligence as we would for an on-premise solution, but we must also recognise that the physical, technical and human security that they provide will be way beyond what even the largest Corporates could afford to deploy themselves.
If we take Google for example – they provide a Security Whitepaper which goes into great detail explaining the multiple levels of security that they provide to you as a client. As a business owner the question I ask myself is “Could I get close to matching this in my own office?” The answer is no.
Salesforce also provide an insight into the levels of security they provide in their Security Statement. Again, as a business owner I take heart from the fact that Enterprise clients of Salesforce like Bank of America, or Japan Post will have done far more rigourous due diligence than I would require.
The second part of the data security question is about it’s location. As a business owner collecting and holding customer data you will know only too well your responisbilities under the Data Protection Act, FSA Regulations and PCI Compliance.
I am not a qualified legal advisor so the following should not be taken as official advice, but I can offer my assessment of the situation.
Principle 8 of the Data Protection Act says that:
“Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
In real words – you can’t send personal data to a country with lower standards of protection than the originating country. The USA (where most Cloud data is held) is not an approved country, and so the US and EU have set up Safe Harbour (Safe Harbor) – whereby US Companies can become approved and therefore fit within the Data Protection Act Guideline. You can see that Google and Salesforce are both accredited by searching here, and indeed check any other Cloud vendor that you may be considering.
If you take Credit Card Payments then you will be subject to PCI Compliance to ensure the integrity of that data. It is unlikely that you would want this data to be transferred to your Cloud Email or CRM services, but it would be worth investigating any potential liabilities here. The PCI Security Standards Council does not appear to have any specific guidance on how Cloud vendors can approve themselves at this time, so worth keeping an eye on their site.
If you are regulated by the Financial Services Authority, then their latest publication on this matter is this 2008 document, “Your responsibilities for customer data security” A couple of points that I take from this document are the guidance around taking data off-site, i.e. employees leaving USB keys or laptops on trains – with Cloud Computing this problem disappears as there is nothing on the laptop. The document also points out responsibility for backing up data. In a cloud environment your data is held on multiple redundant systems, but with both Google and Salesforce you do have the ability to make back-ups to store on-site if you wish – a complete opposite of what used to happen!
When it comes to third party suppliers the FSA guidance is
My advice here is to remember, just because it isn’t in your office doesn’t mean it is not your responsibility. You should take the time to review the security statements of your chosen providers, check what standards they comply with, and ensure that should you ever have to defend or discuss your data strategy that you made use of all the information available.
As a business owner myself I am comfortable that I have done this and am comfortable to be using Google Apps and Salesforce to run my business.
I hope this post has been useful. I’m sure there will be some interesting debate and I look forward to your comments. Please feel free to share with your network and subscribe in the sidebar.
Brilliant explanation Charlie and excellently researched (a common theme in your posts).
I use the exact same explanation during customer consultation that Genentech, with real value in their IP, have adopted Google Apps. The DD that Genentech would have been obliged to perform due to FDA compliance would have been beyond the resources of most companies. They didn’t find an issue.
I’m constantly frustrated by smaller vendors of traditional hosted solutions (passing them off as cloud) stating that certain players in the cloud are less secure. Again, using your example, a discussion to a potential customer around which company has the world class resource at their disposal, Salesforce or the regional IT supplier, usually gets them nodding in agreement when it is brought down to those basic building blocks.
Look forward to your next post.
Andy
Hi Andy, thanks so much for your kind comment, I really appreciate it. Charlie
Charlie
Your piece on control & security in cloud computing is very interesting and aligns very much with my CEO’s holistic view of the cloud: it must be ok, how many millions do you think google spend on blah blah…’.
I do go along with this to a large extend but it seems to me that the cloud introduces onother danger that is too easy to dismiss or forget; confidentiality of information becomes more difficulty to control.
Two simple examples:
1. in the ‘old days’ when IT had control it was quick and easy to shut out employees leaving the company. Now consider how many cloud-based apps you have in your organisation and how many different people with admin control you’d have to instruct to prevent access by a disaffected leaver who could cause havoc in some pretty critical areas. Also, lazy use of passwords can leave critical areas wide open to hackers and snoopers.
2. there’s an amazingly useful app (by iHance) that integrates with salesforce which automatically copies and tags emails sent/rec’d in Outlook to customer accounts and contacts in salesforce. It only needs a bit of careless configuration for highly confidential, private or sensitive email to be inadvertently left available for anyone with a salesforce login to read.
It will take some time for organisations to learn from the horror stories and figure out how to regain control. At this stage I think cloud app developers have some way to go in helping customers understand and control the risks.
Clive
Hi Clive, thanks very much for taking the time to comment. I completely agree with you – the Cloud is no excuse for businesses to absolve themselves of responsibility for understanding and managing processes. I believe that to a certain extent the Cloud could give better security as nothing is held locally for an employee to copy and remove from the business – the typical client database scenario! With the right processes this can be prevented. Salesforce for example allows you to restrict the IP that a user can access the system from.
It will certainly be an interesting time, and no doubt some horror stories will emerge – as to whether this is human or technical error we will have to see!
Thanks and have a great weekend, Charlie