Across the multiple LinkedIn Groups, Twitter and Facebook pages, and on the blog itself I have been humbled by they fantastic and vigorous debate that the blog’s posts generate. It is clear that amongst the Business Community there is a real need to understand what Cloud Computing really means to your Company and to your bottom line. When we are able to forget about the technology, and start thinking about what that actually enables us to do then the true excitement starts – remote working, disperse teams working on a single document, sales people able to cut out “admin day”, MD’s being able to chase up debtors in realtime, IT teams being able to align with the business strategy.
There have also been some common themes in the comments, where there are natural concerns around what it means to a business to have their applications running outside of their network:
- What if my internet connection goes down?
- How secure is my data/what are the legal implications?
Today, I want to spend some time on the second point. I want to try and differentiate between two words, that in the ‘old world’ meant the same thing, but in the ‘new world’ actually mean the opposite – Control and Security.
When you run your applications in your own network, and in your own office, you have control. You can see the boxes. You can see the light is on and hear the fan. Perhaps you are not happy with them under a desk so you buy a server cabinet, perhaps as your rack of hardware grows you dedicate a cupboard or small room to it. You provide a combination lock for the door and install some CCTV to the building. You have RedCare on your Phoneline. You add a redundant Exchange server in case the first one goes down. You have a back-up tape system and take the tapes home every night (or try to). You have a security guard who patrols the business park. He keeps an eye on things at night.
“I have control. I have security.”
In a Cloud environment when you add a new contact record into Salesforce the data is stored…….somewhere on the internet. When you send an important email through Google Apps the record of it is…..I’m not sure. When I add in this month’s invoices in Xero they are all kept…….oh dear me!
“I have no control. I have no security.”
But this is incorrect. Have a think about your personal bank account. We all hear mythical stories of the man who kept his money under the mattress, because he knew where it was, and he had control. He felt it was more secure. But you and I know that our money is much more secure in a bank. After all – they are not just looking after our money, they are looking after billions of pounds worth, and therefore their security will be much greater than my Yale lock on the front door. More so, because they look after so much money, they can afford to provide much better services to clients than my mattress could provide. Interest for a start, Cash machines so I can access my money anywhere, and because banking is a cloud model (i.e. my money isn’t held in my branch) I can use internet banking from any connected device to manage my funds and pay my bills.
When we look at Google and Salesforce as two of the leading Cloud providers we need to do our due diligence as we would for an on-premise solution, but we must also recognise that the physical, technical and human security that they provide will be way beyond what even the largest Corporates could afford to deploy themselves.
If we take Google for example – they provide a Security Whitepaper which goes into great detail explaining the multiple levels of security that they provide to you as a client. As a business owner the question I ask myself is “Could I get close to matching this in my own office?” The answer is no.
Salesforce also provide an insight into the levels of security they provide in their Security Statement. Again, as a business owner I take heart from the fact that Enterprise clients of Salesforce like Bank of America, or Japan Post will have done far more rigourous due diligence than I would require.
The second part of the data security question is about it’s location. As a business owner collecting and holding customer data you will know only too well your responisbilities under the Data Protection Act, FSA Regulations and PCI Compliance.
I am not a qualified legal advisor so the following should not be taken as official advice, but I can offer my assessment of the situation.
Principle 8 of the Data Protection Act says that:
“Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
In real words – you can’t send personal data to a country with lower standards of protection than the originating country. The USA (where most Cloud data is held) is not an approved country, and so the US and EU have set up Safe Harbour (Safe Harbor) – whereby US Companies can become approved and therefore fit within the Data Protection Act Guideline. You can see that Google and Salesforce are both accredited by searching here, and indeed check any other Cloud vendor that you may be considering.
If you take Credit Card Payments then you will be subject to PCI Compliance to ensure the integrity of that data. It is unlikely that you would want this data to be transferred to your Cloud Email or CRM services, but it would be worth investigating any potential liabilities here. The PCI Security Standards Council does not appear to have any specific guidance on how Cloud vendors can approve themselves at this time, so worth keeping an eye on their site.
If you are regulated by the Financial Services Authority, then their latest publication on this matter is this 2008 document, “Your responsibilities for customer data security” A couple of points that I take from this document are the guidance around taking data off-site, i.e. employees leaving USB keys or laptops on trains – with Cloud Computing this problem disappears as there is nothing on the laptop. The document also points out responsibility for backing up data. In a cloud environment your data is held on multiple redundant systems, but with both Google and Salesforce you do have the ability to make back-ups to store on-site if you wish – a complete opposite of what used to happen!
When it comes to third party suppliers the FSA guidance is
My advice here is to remember, just because it isn’t in your office doesn’t mean it is not your responsibility. You should take the time to review the security statements of your chosen providers, check what standards they comply with, and ensure that should you ever have to defend or discuss your data strategy that you made use of all the information available.
As a business owner myself I am comfortable that I have done this and am comfortable to be using Google Apps and Salesforce to run my business.
I hope this post has been useful. I’m sure there will be some interesting debate and I look forward to your comments. Please feel free to share with your network and subscribe in the sidebar.