It’s a Catch 22 for the 21st century: As a business, you likely need the boost in productivity cloud computing can provide, but to go on the cloud, you have to turn your data over to a service provider even though you are still ultimately responsible for its security.
Rashaad Bajwa, president and CEO of Domain Computer Services, appreciates the dilemma. More importantly, he thinks more businesses should appreciate it too.
“The big misnomer that a lot of organizations have to go through is the assumption that the cloud is heaven,” Bajwa said. “The cloud is not heaven. It has a ton of potential. It can be the absolutely best idea for an organization. However, if not done well, it can also be the worst nightmare.”
At its heart, cloud computing allows an organization to use other people’s computing systems as its own. The cloud comes in two basic flavors—Infrastructure as a Service (IaaS) and Software as a Service (SaaS).
With IaaS companies like Amazon Web Services, Google Cloud Platform and Microsoft Azure, a business is simply using the provider’s capacity—CPU, memory storage, and internet access. “Everything at the software level is your responsibility, and that includes cybersecurity,” Bajwa said.
SaaS provides the hardware and adds a software layer on top of that. Salesforce.com, for instance, is an SaaS company.
As far as security goes, IaaS isn’t much different than putting the infrastructure at the company itself. If there is a breach, the breakdown almost certainly would come from the client, not the cloud provider.
SaaS is trickier, Bajwa says. On the one hand, cloud companies generally have much stronger protections and redundancies than even large companies. But as Bajwa pointed out, they also face bigger threats.
“Their big servers and big datacenters host millions of customers and are attacked thousands of times a day,” he says. “They need at least a thousand times more protection and scale than your private servers dedicated just for your business.”
If there are flaws in that protection, they generally don’t show up until it’s too late. Companies aren’t going to publicize where their weaknesses are, so generally speaking, it’s only after a data breach that the mistakes and oversights become known.
Contracts will lay out security measures the providers are responsible for, but the liability for the security of your company’s data ultimately belongs to the company using the cloud services.
“That’s the biggest wake-up call that businesses have to have when moving to the cloud,” Bajwa said. “The data is still their responsibility. The problem doesn’t necessarily go away by moving to the cloud; it just moves where your data is and forces you to protect it in potentially multiple places.”
