Security in the Cloud: Who’s afraid of the big bad wolf?

Do you know the “Three Little Pigs” fable? If not, they were three anthropomorphic pigs that, after being sent out by their mother to seek their fortune, built three different houses with different materials. A big bad wolf was able to blow down two out of three houses made of wood and straw but was unable to destroy the last house made of bricks, so he first tried to trick the pig to come out by asking to meet him at various places and then finally tried to enter the house via the chimney where he fell into a cauldron of boiling water and retreated.

There are many similarities in this fable with respect to the information security topic. Wherever our data are, there will always be threats to their security and whoever manages them, from the users to the IT department, must have a thorough awareness of such threats, understand them, learn from errors and reject them.

But what exactly is information security?

Information security can be thought as all the countermeasures put in place to preserve information’s

  • Confidentiality
  • Integrity
  • Availability

Confidentiality is a set of rules that limits access to the information. Integrity is the guarantee that information is trustworthy and accurate. Availability is the assurance that information is always ready to be accessed by the authorized users. Every threat to one of the above mentioned aspects is a security threat - the big bad wolf that is threatening our houses - and can have devastating impact on our business.

Security and the Cloud

And what about the cloud? Is our information secure enough on the cloud?  Is it any better or worse than in our datacenter?

When we think about the cloud the very first concern is that we no longer have full control of our information, as it is hosted on servers that are managed by people we don’t know and sometimes we don’t know where they are located geographically.

But the above considerations really should not be the most concerning risk. Let’s look at the broader picture:

1. Core competency - if you use a software as a service (SaaS), it is clear that this is the core business (or one of the business) of the company that provides it and that they most likely have more experience and a broader understanding than you about the service
2. Access controls - does your company have controls in place so that only authorized users can not only authenticate, but just reach a service ? With a software in the cloud, the focus is on limiting accesses
3. Scalability - is your on-premise solution completely scalable, therefore available?  The volume of data growth and the increase in the number of the concurrent users often force your company to invest heavily in hardware resources and often takes a long time. With SaaS,  this goes away; you have virtually infinite hardware resources at any time in a matter of minutes or hours.
4. Internal organization/ External Verification - companies that provide SaaS solutions follow external standards (such as  ISO 27001  and SSAE 16) and structure themselves to improve their security processes around managing the clients’ information in the most secure and controlled way.
5. Business Continuity - cloud providers have a department dedicated to the preservation of your data, so you can confidently rely on them as part of your company's Business Continuity plan.
6. Pay-as-you go you have a predictable expense even if your data amount grows unexpectedly
7. Access anywhere - you can choose to be in a precise geographical location or allow for mobility and be anywhere to access the software


The brick house alone won’t save you

The above are valid points, but mind you that 100% security can never exist: information security is always a compromise that comes from a risks assessment and from the necessary resources that we decide to invest for risk mitigation. A good grade of technological security is perhaps the easiest to achieve and is the one we have the best control over. It is very difficult for example to control an unsatisfied employee whose job is to deal with critical company information, or to fight against our bad habits e.g.: to store passwords in the passwords.docx file on our desktop (none of you do this, right?).

The best security comes from good habits and strong awareness, otherwise the big bad wolf is who we see everyday in the mirror.

What are your thoughts? Is your company moving to the cloud? Is (or was) security a concern?


Share this post!