Secure in the cloud

1 Jan 2010

Debates over security won’t impede the march of cloud computing, writes Eran Feigenbaum, director of security for Google Apps.

It’s enough to look at newspaper headlines any day of the week and read about lost data – from misplaced USB keys to lost or stolen laptops and MP3 players, etc.

A report released last year by Credant Technologies found that London taxi passengers left more than 60,000 hand-held devices in the back of black cabs over a period of six months in 2008. Some 55,843 mobile phones and 6,193 other devices, such as laptops, were forgotten.

Cloud computing, when IT software and services are delivered over the web and through a browser, is a paradigm shift, similar to taking your jewellery out of your sock drawer and placing it in the bank.

The bank has the economies of scale. It has guards, robust safes, video surveillance — much more than any security investment you can deploy yourself. The same is true with data. Cloud providers are equipped to protect millions of users’ data every day.

As a customer, you get to enjoy these economies of scale at minimal expense. We have over 1,000 people dedicated to Google Enterprise, including some of the world’s best security experts who are helping to make sure that your data stays safe.

As computing moves out of the desktop and onto the internet, worries about security have mounted. If you store data in another company’s servers, in the cloud so-to-speak, how can you be confident that it is safe?

Firms dedicate a lot of time and resources to protecting their data. So what goes wrong? As reported by the IT Policy Compliance Group last year, human error accounts for three quarters of all incidents involving the loss of sensitive data.

When I was a chief information security officer for a major financial services company, I used to tell my team: “make it easy for users to do the right thing and they usually do.” Employees are generally not malicious — they want to work from home as part of getting their work done. Indeed, today’s young employees consider working from 9 to 5, and always at the same desk, increasingly alien. Allow them to access data anytime and anywhere, while it is still stored and protected in the cloud, and you automatically eliminate many data loss risks.

In fact, this article was drafted in my office back in California, edited in my hotel in Europe on a different PC, shared with my colleagues, and now posted from a colleague’s laptop. At no point was it emailed, downloaded to my desktop or put on a USB stick. It was all done in the cloud and protected by the cloud.

The cloud offers several other important security advantages. Most organisations take 30–60 days to install security patches on their systems, which is a major concern in its own right. In fact, many companies I talk to admit it’s closer to 3–6 months to install a security patch.

This means that traditional IT systems and applications are open to known security vulnerabilities for a very long time. By contrast, we run a very homogeneous computing environment, so when it is time to patch we can do it in a rapid and uniform manner to all of our systems.

Finally, there is the question of physical security of our data centres and reliability of our products. At Google, we replicate users’ data to multiple data centres. If one data centres goes out, our infrastructure helps ensure that the data remains secure and accessible. While in Europe, some unfortunate news helped prove my point. I was in Milan when a flood swept the country and knocked out several key data centres. Although it affected a number of local businesses, Google customers saw no disruption of service.

Admittedly, no system is 100pc foolproof, or 100pc secure. Back in March we had a programmatic error that caused a Google Docs sharing problem. However, we were able to respond quickly because it happened in the cloud. The issue affected less than 0.05pc of our users’ documents, and it was corrected without our clients having to do anything. No software to install, no upgrades, no configuration changes, etc. And we worked closely with the affected customers to inform them how it impacted their documents.

From time to time, any system will be affected by some security issues. The real question is what people, processes and technologies do you have in place to minimise the impact of these incidents, and how quickly can you respond if anything goes wrong? We designed our systems with security in mind and have a 24×7 security team looking at new threats and able to respond in a rapid manner. I’m confident that they address the sorts of concerns organisations have with their currently in-house managed systems.

We’re convinced that the future of computing lies in the cloud. Cloud-based solutions are cost efficient, collaborative, and — more often than not — more secure to operate. While in Brussels, I observed that European policy-makers are taking note.

Instead of seeing security as a negative factor weighing down the transition to cloud computing, I hope I helped explain why it should be perceived as a benefit.