Original URL: http://www.theregister.co.uk/2013/04/09/cloud_security/
Protect your data with a cloudy mixture
Where should it live?
Many organisations today are facing the challenge of fast-changing operating conditions. At the same time, they are ever more dependent on the data and information they hold. How can they best store and protect corporate data? Is cloud the right answer or only part of it?
Securing and protecting data has been a major issue for businesses ever since computing took hold. More than 20 years ago, the rapid spread of personal computers exacerbated the situation, forcing organisations to seek ways to protect information held across many machines. PCs were under the control of their users rather than subject to central IT management.
Laptops presented a new challenge, namely how to secure and protect data that might be mobile and disconnected from the corporate network.
The fact that laptops are easy to lose has added a further complication, as has the advent of the myriad smartphones and tablets now being used to access company systems and store yet more data locally.
Overlaid on these practical challenges is the regulatory and legislative pressure being put on organisations to ensure sensitive data is properly protected. Meanwhile, users expect instantaneous access to business information from wherever they are working, creating a need to make data universally available.
Centralised lock down, while attractive to IT people, is therefore not an acceptable way forward for most users.
There are many products designed to protect data in the backup, recovery and data storage arena. The selection of this kind of software depends on the precise requirements of the organisation, its infrastructure and the skills and experience it has available.
Product selection is beyond the scope of this article but we will focus on whether developments in the cloud arena can help.
Good old personal preference can also be a factor
When thinking about the potential role of the cloud, the options are based on where primary data and secondary (for example replicated or backed-up) copies of data may be held.
The decision boils down to three choices: in-house, in the cloud (in other words hosted), or a combination of both, the so-called hybrid option.
As ever, the approach chosen will depend on the requirements for speed of access, data volumes and various risk-related factors. Good old personal preference can also be a factor, though one that is seldom acknowledged openly.
Know your data
Experience indicates that when trying to reach decisions on the appropriate approach to data management, security and protection, many organisations fall at the first hurdle because they don’t have a handle on their data.
They don’t know exactly which data exists, where it is held (including copies), its importance to the business and who precisely it is valuable to.
This is a particularly problem when it comes to laptops, home PCs and the expanding array of smartphones and personal tablets being used in business. Tackling this lack of visibility is a crucial first step in making informed decisions on data management.
Once you understand your data, you can base decisions on the organisation’s requirements and constraints, bearing in mind that what is suitable for one application or dataset may not be for others.
Where in the world?
An important consideration when thinking about cloud providers is whether the location of data is subject to any regulatory, legislative or governance-related restrictions, especially where storage of sensitive material is involved, such as customer data, employee information, financial records or intellectual property.
This is not just about whether the data lives on or off-site, but where a service provider will be storing it geographically on your behalf.
The next step is to address the practical issues. One is to identify latency-sensitive classes of data, where speed of access (response time to the user) is critical.
Unless you have extremely fast and reliable communications with your service provider, the primary location of such data is likely to be at your own facilities. This does not, however, rule out storing a replicated or backed-up copy of the data in the cloud for the purposes of disaster recovery or perhaps collaboration.
For primary datasets residing in-house for regulatory or compliance reasons, or simply for comfort, storing secondary copies in the cloud for backup or disaster recovery may be a useful option but will necessitate additional measures such as encryption.
Where latency or data sensitivity are not an issue, other datasets can be kept in-house or moved to an external service provider or the cloud. Naturally, when looking at providers the usual quality-of-service assessments and due diligence investigations applied to other suppliers must be carried out.
Only the best
Using the cloud or external service providers for storing secondary copies of data for protection or disaster recovery can offer significant advantages for organisations that operate out of a single location.
Such solutions may also prove attractive for storing primary copies of data to be shared by many users inside or outside the organisation.
Equally, cloud storage could also be used by those wishing to access data from many different devices, avoiding the need to manually move information between systems. It is important to consider the synchronisation of data between the devices, as we expect requirements in this area to grow quickly.
The main thing is to keep an open mind and consider the options in context. For all but a minority of highly sensitive, not to say paranoid, organisations, a hybrid approach to data storage is likely to offer the best balance between cost, flexibility and risk management if decisions are made on a case-by-case basis. The aim is to have the best of both worlds. ®
Tony Lock is programme director at Freeform Dynamics