Why the cloud helps to overcome Security Concerns
The current heated discussion about security and cloud reminds me of an interesting recent survey on cloud computing from Saugatuck Research. Not much has changed when it comes to customers and the way the cloud is perceived.
Security was and is top of mind for everyone. Rightfully so. I agree with Saugatuck´s conclusion :
|
Saugatuck believes that the reality of Cloud IT is actually the reverse of popular thought. We believe that: The growing prevalence of Cloud IT use, including communication and interaction throughout multiple “Internets of things,” can deliver vastly improved security that reduces the risk of data loss and system breaches by improving the ability to secure, monitor, and manage devices and software. |
See detailed research here:
- In last week’s Saugatuck Research Alert, they outlined how buyer concerns regarding Cloud have changed – and not changed – over the years (1245RA, Cloud Concerns: Survey Reveals Some Counter-Intuitive Results, 31July2013).
I agree especially with the following conclusion:
- As we noted in last week’s Research Alert (and in previous research published for our subscription clients), “the” great misconception about Cloud, especially public Cloud-based IT services, is that they are less secure than other IT provision alternatives. We find this perception widespread, and typically wrong. The data centers and networks built for Cloud platforms and service delivery tend to be architected with much greater reliability and security than most on-premises data centers, in part because the entire data center is architected and built with uniform technologies and implementations of those technologies.
Security is top of mind for customers, ensuring that cloud computing vendors need to invest substantially, and KEEP investing. As customer, you need a stable and viable partner when it comes to security
.
Some of the key topics are outlined in one of my latest blogs: The 1-2-3 of Cloud Security at SAP
Cloud computing done right can help to overcome security concerns, especially as many customers realize that they are not able or willing to invest as much as a specialized vendor can. That on premise isn´t safer per se – and access to data, via mobile and/or cloud, needs a clear strategy with IT departments in the lead.
Wish you all a nice summer holiday season!
Regards Sven…
(You can also follow me on twitter @SDenecken to stay on top of latest and greatest about cloud computing)
Interesting statistics and research. It's going to take some time for the Cloud data issues to blow over. It's important to realize that what we're seeing is nothing particularly new - many companies have been mining and harvesting data for a while already. And interestingly, since many Cloud companies (such as SuccessFactors) don't own the customer data they cannot comply with requests to provide it.
I always felt the concerns about cloud security are very much like fear of flying: Statistically, flying on a commercial airline is safer than driving. But far more people are afraid of flying than of driving and amongst other things there are two important factors:
- you depend on others as an airline passenger, whilst you can always buy into the illusion you are safer than the rest, when you are in control
- an airplane crash is always on the news
very much like cloud vs on your own premise in terms of perceived security, innit?
Top comment Sven and I think it is this mentality that creates a fear of the Cloud. Although we haven't had any Cloud data thefts yet in the enterprise software world. But when we do it will be big big news.
It might be happening, you just aren't aware of it. I'm talking about hacking here. Another scenario being that a malicious employee of the cloud provider might access/steal your sensitive data without you (or the cloud provider company) being aware of it. Both arguments can be applied to on-premise as well but with on-premise at least the latter one is less probable.
It might be - or it might not be. To say it might be is scaremongering, which is the point at which Sven is getting at. Internal networks can also be hacked - nearly every SAP system is connect to SAP (for OSS, for example) thus creating an access point (the DMZ) to which it can be hacked. And the security of your average company is not as strong as the security of a Cloud provider. SuccessFactors, for example, has a bigger security and data privacy budget than most customers could dream of...
Agree with Luke.
Whilst I'm not on the 100% gung ho side for moving to cloud with everything at any cost right now, security is not one of my cloud related concerns (well, not more tha on premise).
Only a very limited no of customers would really need and have stronger external security than leading cloud ensw providers.
Whether or not more admins than necessary have access tou your data on within cloud vendor companies, I must admit I don't know.
I can't comment for all Cloud companies, but I do know that SuccessFactors gives very limited access to employee data. Only the DBAs they have can access it and even then they cannot do so without an express reason to do so. And of course, all data access is monitored and recorded.
Agree with Samuli, Cloud is a quite new platform, not so many companies are hosting their data in the cloud. I'm pretty sure that there are some hacking cases that are not yet publicly announced. I remember when I was in a security conference last year, there was a presentation about the key pair dump from Amazon VMs, where hackers were able to fing the key pairs of other users that are using the same physical machine. The impact of such attack is not big enough to be widly reported in the news.
How do you define "not so many"? SAP itself has thousands of customers and when you start to look at Salesforce.com, Oracle, Amazon, etc you can add a few more thousand. I think that's quite a few. And the security at some of these companies is quite impressive. Of all of my 35+ customers, only a national government defense organization had better security and that's because it had no connection to the outside world (even SAP Support wasn't allowed system access). Maybe things are being hacked, but that's no Cloud-specific because on-premise systems can be hacked just as easily - if not more easily.
Setting the “who has better security” argument aside, you are missing one point Luke. In-house hacking will more likely happen in a cloud company. After all, who would hack themselves? Okay, the screening of IT specialists in major cloud companies might be better than in your average SMEs but still the argument stands. Another point is that with cloud you as the customer will be the last one to know about a successful hack attempt just because the cloud company is covering their bases.
Sorry Samuli, I don't understand your point. Are you saying that a Cloud provider is more likely to be hacked as an "inside job" than an on-premise company? And if so, what is the basis of this?
I know that SuccessFactors hack themselves weekly to test their security, but I'm not sure if this is what you're referring to.
Exactly, because hacking into several companies for financial gain is inevitably more tempting to hackers then hacking into the company you work for.
If you knew anything about Cloud security you would know that this is incredibly unlikely and almost impossible. It would be easier to hack several on-premise companies through their DMZ than it would a Cloud company. "What if" scenarios don't mean anything without basis and there is no real basis to this because Cloud companies focus on this much more than any on-premise companies do.
Please do not assume what I know and do not know about Cloud security; I don’t publicly doubt your skills either. When it comes to security I’d rather be overly paranoid then ignorant to the harsh realities of Today’s world. Only time will tell, it could go either way.
I fully agree with you Samuli.
To be honest I do not have strong experience with Cloud infrastructure, but I'm in IT since enough time to know how things are running.
I can believe that "Cloud companies focus on this much more than any on-premise companies do" , but I'm not sure that's enough.
One of the biggest security issues with cloud-apps is the ability to largely log in from anywhere, and the fact that it’s mostly used through a browser. Rich client and LAN access are far easier to secure.
Cloud Co. knows than security is a major obstacle to the adoption of their product and they are doing their best, but does all their subcontractors do so ? Delegation is the big problem with cloud... at many levels.
I'm afraid that's not really close to the truth for Cloud company's such as SuccessFactors. I recommend that both of you read the security part of this report on SuccessFactors:
http://sapexperts.wispubs.com/SAP%20and%20SuccessFactors%20An%20Overview
I find it interesting that both of you have concerns with Cloud, but both of you rely solely on on-premise NetWeaver technology to make a living.
You're true, I (we) might not be fully objective...
but you too as you seem to mainly work around success factor 😉
Hehe, I'm keeping my fingers crossed! 😉 But I've done a lot of research on the topic in the last year and it's opened my eyes.
Thanks, I read the security chapter of the report; I’m not sure what you wanted me to learn from it.
Yet again you assume things. I use Cloud based services heavily (IaaS and SaaS) for both personal and business needs. I do make my living working in SAP environments that are on-premise but what has that do with anything? Are you saying I have to work with SuccessFactors, HANA Cloud, etc. to truly appreciate Cloud?
I find it interesting that you want to shoot down anyone who has concerns that you do not share. If you know that Cloud is so great, why can’t you just ignore people who do not share your opinions? I keep seeing this kind of behavior on Internet forums. Be it your favorite brand, programming language, operating system, etc. there are always those that do not accept the fact that not everyone shares their opinion.
The only thing I had to contribute to this discussion was to share my concern that Cloud, even if inherently more secure than on-premise, will introduce new security concerns.
I'm always open to different perspectives, but I don't like those that want to scaremonger about concerns that don't exist. If you follow my work, blogging, tweets, panel sessions, etc then you will see that I often debate with people who have different perspectives. It's something I enjoy greatly. But when perspectives are based on "maybe" this and "what if" this, but not on actual facts or evidence, than sometimes it is difficult to understand the perspective. You above say that on-premise is not as secure as Cloud - so what is the point you have been trying to make? My point is that Cloud is more secure than on-premise and that there is no evidence on the contrary - and also that on-premise faces the same concerns because SAP systems have open internet access that is less protected than Cloud. Therefore, you can see that I am not being argumentative or shooting down different opinions - rather, I am merely defending the facts that you have admitted in your last comment are the case.
Uhh, you missed the "if" part. I bet you did that on purpose 😀
Anyway, let's see.
Nobody's perfect 😉
It will certainly be interested to see what happens in the future.
Thank you for thus reports. I have one question with regard to the Data Protection law that is applicable to success factor Data centers. in the report it is written that :"
SuccessFactors security standards are based on the strict UK BS10012 standards for data privacy and the ISO27002 framework for security standards" well, very good news. But we also read that :"SuccessFactors has two data centers each in North America" .. in that case these data centers falls under the US legislation with including the partiot act Privacy nviolation rules( PRISM and co). HWhat is the guarantee of our cutomers that their Data cannot be accessed by the NSA or the US goverment .. although if we claim that we apply sone strict standard.
In fact, I'm not sure that we are paranoid by inventing threats that potentially are not existing, but we learn from other cases happened in other companies .. most of the time we can use the best and most sofisticated authentication sytems, encryption , access control and whatever, but the threat is not comming from outside, it comes from inside. And insider "attacker" is not potentially malicious, he maybe curious or just vulnerable ! Let's take the example of the Syrian electronic Army that is an outsider attacker .. most of their attacks are based on social engeneering methods to corrupt one employee of a company (sending e-mail pretending being a CEO or manager) obtaining credential and secrect informations access to amin consoles and corrupt systems and web site. In that case we can have the best security sytems in place .. all the data can be lost.. with a cloud provider company, in stead of loosing one company dataset .. we loose many datsets from various companies !
My point is that this risk exists for on-premise customers and is even more of a problem given the low investment in security by these customers, so raising it as a risk for the Cloud without pointing out the fact that the same risk exists for on-premise customers is not a balanced view. On-premise customers an be hacked now and most likely more easily than a Cloud company.
And don't think having data in a data center makes it easier for the government to get at. They can request your data whether in the Cloud or on your premises - but in a SuccessFactors data center, for example, SuccessFactors cannot hand over the data because they do not own it. The customer has to hand it over. And that's actually if the government are ever going to ask for the data in the first place.
Hm. Not too sure about that. Others seem to have handed over data they don't own and anyway: as long as you are not a US citizen, the US legal system tends not to give a ... About your privacy. There have been quite a few arguments that the US is actually risking to fall back as a cloud provider because of this. In Germany snd Scandinavia, US based data centre currently seem to be the biggest show stopper for cloud adoption.
But I inderstand SF is providing data centres in Germany now, as they would otherwise not get far in that market. Even before Snowden, despite the safe harbour regulation (a law assuming that data privacy in the US is as good as in the EU: the very existence of the law proves it is not. If it was, the law wouldn't be necessary) many European companies tried to avoud data being kept in the US.
So, I have to say I share the concerns, but I think they are being dealt with.
Being in the US puts you at risk, on-premise or Cloud. Also, Sweden has rules that mean your data is easy to access for the government in a way the US can only dream of having.
There are SuccessFactors data centers in Germany now (in St Leon Rot, near Walldorf) and SuccessFactors also have them in Australia.
I can see the concerns, but on-premise customers are already at significant risk. Cloud doesn't introduce new risks, it just means existing risks still exist. The point I make is that fair argument would highlight the existing risk rather then only the "new" risk. Unfortunately folks that make 100% living from on-premise work don't want to hear that.
And that's the last I'm saying on the topic 😉
Here is a totally new risk for you, because of Cloud. You as a Cloud customer get hacked because of collateral damage meaning some other company/companies were the target but just because you were on the same Cloud you got hacked too.
On a personal note:
I switched from drop box to Wuala, stopped using salesforce and stopped a project to switching accounts from a European to an American cloud product.
Our wiki has been moved from public to private cloud.
Still many things not as easy to switch, but it's a start.