The "Big Data" Dialogues, Part 8: Cybersecurity

Stephen DeAngelis

November 17, 2011

Joseph King, Group Vice President, JDA Managed Services, writes, “Before your business makes the leap into cloud computing, or increases its investments in the cloud, it’s essential to address the topic of data security with your provider. Navigating the cloud safely means ensuring that your most critical data is protected with a high degree of rigor that meets or exceeds your organization’s needs. Your data should be safe, secure and ready to apply to your most urgent competitive challenges anytime, anywhere.” [“Is Your Critical Data Protected in the Cloud — as Well as Leveraged to Its Full Potential?SupplyChainBrain, 12 October 2011] King is correct — security is an essential consideration and probably one of the reasons that some companies have been hesitant to make the leap into cloud computing. Of course there are two kinds of security about which you need to be concerned: cyber and physical. In this post, I’ll discuss cybersecurity. In a future post, I’ll discuss physical security.

Last year marked a turning point for businesses. According to the annual Kroll global fraud survey, “reported thefts of information and electronic data … for the first time … surpassed physical property losses as the biggest crime problem for global companies.” [“Data theft overtakes physical losses,” by Brooke Masters and Joseph Menn, Financial Times, 18 October 2010] Last year’s survey revealed that more than a quarter of the 801 companies surveyed reported data losses. Richard Plansky, head of Kroll’s New York office, told Masters and Menn, “This is a reflection of the changing nature of the economy. More and more of the value of a company is intangible rather than things. Firms don’t make widgets. They make ideas.” The article points out that “China has become the single most problematic market for the multinationals that took part in the Kroll survey, with 98 per cent of those that do business there reporting some sort of fraud loss, up from 86 per cent the year before.” Things haven’t gotten any better over the past year. “The U.S. government [has] accused the Chinese of being the world’s ‘most active and persistent’ perpetrators of economic spying, an unusual move designed to spur stronger U.S. and international action to combat rampant industrial espionage threatening U.S. economic growth.” [“China Singled Out for Cyberspying,” by Siobhan Gorman, Wall Street Journal, 4 November 2011] Gorman reports:

“The bulk of this theft of U.S. corporate and economic secrets is carried out in cyberspace, where vast volumes of data can be stolen in seconds, according to U.S. intelligence officials. The spying campaigns have reached a crescendo, they said, as U.S. government and business operations have grown extraordinarily reliant on communication technology. … The threat will accelerate in the coming years and presents ‘a growing and persistent threat’ to U.S. economic security, according to the intelligence report, which reflects the views of 14 U.S. intelligence agencies.”

If those stories don’t scare you, they should. That is why Joseph King is so insistent that you address security with cloud service providers. However, he doesn’t want to scare you the point that you decide that cloud computing isn’t worth the risk. King believes the advantages of cloud computing outweigh the risks. He explains the benefits of cloud computing this way:

“In the information technology world, perhaps no topic today is receiving more attention than cloud computing. Once viewed as a cost-effective, flexible option for small or mid-sized companies, cloud computing is now generating interest from even the largest businesses, whose executives once believed that their data was critical, too sensitive or too complex to relegate to a managed services model. Increasingly, companies of all sizes are realizing the benefits of leveraging a cloud approach for application hosting, hardware hosting and data management, which offer clear cost and efficiency advantages — and also allow the organization to focus on key strategic challenges, instead of administrative tasks. Cloud computing offers dynamic capabilities, such as flexible configurations, as well as ubiquitous user access from every geographic location and time zone. For core business activities such as transportation scheduling, warehouse management and point-of-sale (POS) data collection, cloud computing is ideally suited to manage extremely large data volumes and multiple collaborative relationships across the supply chain, seamlessly and invisibly. In the event of a natural disaster or other significant business disruption, cloud computing offers peace of mind and reliable business continuity. Cloud computing also delivers extremely rapid time-to-value, with full software and data hosting occurring in as little as 15 days. Your business can immediately start realizing a return on its technology investments, instead of waiting for an internal IT infrastructure to be provisioned and configured.”

Having spelled out the tremendous benefits of cloud computing, he nonetheless admits that “it’s not always easy to trust another company with the critical data that represents the lifeblood of your business.” He continues:

“Maintaining your hardware, software and precious information at an off-site facility certainly makes good business sense — but it requires real trust, based on sound operating practices. High-profile data security breaches at credit card companies, health care providers, universities and government agencies have dominated the headlines recently, reminding us of the dangers of doing business in today’s real-time, technology-connected world.”

King goes on to explain the difference between public and private clouds. He begins by discussing public clouds:

“One of the first issues your business needs to understand is the all-important distinction between public and private clouds. Today’s online world is filled with public clouds, which enable customers to subscribe to and buy data storage space. While public clouds may be cost-effective, businesses should be aware that public storage providers are likely not employing the same systematic approach to firewalls, data encryption and other security protocols that exist within their own organizations. And, because public clouds are not designed to store mission-critical data, 24/7 access might be a problem. Outages are common, whether due to site maintenance, upgrades or other issues. While public clouds are perfect for the needs of consumers, they lack most of the serious performance features and security protocols needed to run your business with a high degree of confidence.”

It only makes sense that you shouldn’t trust storing your critical business data on a site that caters to grandmothers who want to share pictures of their grandchildren with family and friends. That’s where private clouds come in. King continues:

“Private clouds are built with a single customer, or group of customers, in mind. Segregation, separation and data protection are key concepts. Because private cloud providers understand the real everyday needs of your business, continuous access is also a high priority — and your team members will be able to remotely access the applications and data they need to do their jobs, 24/7, from any location in the world. When working in a private cloud, your employees will also benefit from custom-designed, Web-based interfaces that are seamless and easy to use. The best private clouds are invisible to your team members, who only see an extension of your own business when they access solutions and data in the cloud. In addition, private clouds are generally characterized by stringent security measures which ensure the safety, integrity and real-time availability of your most important data.”

King then asks an important question, “How Protected Is My Data?” In other words, how good are the stringent security measures he addresses earlier? He says security relies in “establishing the right protocols.” He explains:

“Any IT professional can list the ‘three A’s’ of data security: authentication, authorization and accountability. Your own IT and compliance teams have worked diligently to ensure that all the information stored within your own walls is protected, in keeping these three essential themes. In your relationships with external trading partners, your business has also worked to ensure that all third parties are accessing your data in a safe, secure manner. Nowhere are the concepts embodied by the three A’s more critical than in your choice of the cloud computing partner who will virtually host your hardware, software and proprietary data. Three A’s must be foundational to their delivery model. At the off-site facility where your data is stored, personnel should be issued proximity access cards that authenticate their identity when they enter the facility. Security personnel should be on site 24-7 to closely monitor access, backed by stringent security systems. When employees log in, user authorization should be required at both the network and system levels. Accountability should be established via standard operating system event logs that are carefully maintained and monitored. Ongoing alerts should monitor both the health and performance metrics of each technology system. Networks and systems should be safeguarded with a variety of firewalls, including intrusion prevention systems, data loss prevention systems and Web application firewalls. Cloud managers should ensure that all systems and processes are compliant with standards such as SSAE-16 (SAS-70) and Sarbanes-Oxley — and should schedule security audits on a regular basis to ensure that protocols are upheld stringently over time.”

Although my company offers cloud-based services, we often have to draw on client data being stored in the kind of cloud computing system King describes. Even though we might not be the principal provider of data storage, we are extremely security conscious. Our Solution-as-a-Service (SaaS) offerings are all SAS-70 certified. King’s next subject is the people (rather than the hardware or software) involved in providing cloud services. He writes:

“Even though cloud computing relies heavily on high-quality computing resources and stringent IT protocols, all these technologies and processes are managed on a day-to-day basis by people. It’s essential to ask and answer the question: Who is actually managing my data? What are their credentials and skill sets? The best cloud providers will have teams of hundreds of experts supporting your cloud computing needs every single day. Not only should these cloud managers be subject to background checks, confidentiality agreements and daily security protocols that control their access to the cloud, but they should also have a broad range of hardware, software and business skills. They should not only be technology experts, but also business generalists who understand your organization’s strategic needs for various software applications and operating information — and who can help custom-tailor the cloud’s capabilities to best meet your needs. Cloud managers should know not only how to store data but how to apply data to help customers streamline processes, reduce risk and expedite business results from software investments that are already in place. While your internal IT team might only consist of a small group of people, the right cloud provider can supply a team of highly qualified, credentialed experts to supplement your team. By relying on this external expertise to streamline your daily computing needs and help you leverage your data to the fullest extent, your IT staff can focus on the core strategic priorities that are driving your business.”

From the beginning, cloud computing has been touted as way for small- and medium-sized businesses to leverage the IT expertise of larger organizations. A good part of that expertise comes in the security field. As a result, King insists that “there are very few companies that cannot achieve significant time, cost and efficiency benefits from entering the cloud.” He concludes:

“The key is identifying those parts of your business that are right for cloud computing — whether because they are data-intensive, involve partner collaboration or are otherwise well suited — then creating a close partnership with a trusted managed services provider. The right partner should combine IT expertise and a commitment to security with a general business approach that helps you maximize your return on your technology investments. Cloud managers should understand both the applications you are running and the data you are storing, as well as how these resources can be applied to your core business challenges. This approach not only helps cloud computing deliver a lower total cost of ownership and quicker returns — but, more importantly, positions your business for a competitive advantage by turning technology and information into powerful strategic weapons.”

Although most of the attention these days seems to be on cybersecurity, physical security cannot be overlooked. As I noted earlier, I’ll write more on that topic in a future post.