‘The Cloud’ … We hear the term used on a near constant basis in today’s business environments. Cloud-based applications are everywhere and offer nearly every imaginable service. It is billed as the best solution to any given problem. You pay a fee to a third party, which is less than the cost of doing it yourself, and they store your data or process your data or keep your data secure. This, in my opinion, is both the great boon and the great bane with ‘The Cloud.’
My own reluctance to fully embrace ‘The Cloud’ is well known in the circles I frequent. Don’t get me wrong, The Cloud has great utility. It can provide access to better and more powerful tools than smaller businesses might otherwise be able to afford. It allows larger companies to hand off risk and even out costs over time. Admittedly, the judicious use of ‘The Cloud’ can help businesses be more efficient and more productive. But there is a BUT…
Cloud-based systems hand control over your data/processing/storage to someone else. It adds a layer of abstraction between you and your hardware/software/security. We simply assume that the cloud provider is better than we are at everything. Their security must be better, their talent must be better, their resources must be better. That is why we should move to the cloud, yes? Unfortunately, that is not always (or even most of the time I argue) the case.
Just today Google (100k employees producing $136B in revenue) announced the discovery of a bug that allowed passwords for G-Suite Enterprise accounts to be stored in plain text… for FOURTEEN years… Think about that for a minute. G-Suite wasn’t officially released until August of 2006. Google did not say how many users were affected but as of January of 2017, there were around 4 million paying business customers for the platform. To be fair to Google, passwords are only one of the measures used to keep and maintain security over their product but if this bug went undetected for 14 years what other bugs might yet be undetected? Hopefully it won’t be another 14 years before we find out. Lest we think this was a one off event: Both Twitter and Facebook (and oh so many more…) had much worse events where hundreds of millions of user passwords were either hacked or stored in plain text.
The obvious question then becomes ‘So what am I supposed to do?’ To be honest; that is the same question I am currently struggling with. It seems the choices are to keep things in-house and risk losing out on opportunities that come my way or risk my secret sauce and trust that my vendor is doing it right and protecting my data and processes properly. I think the answer lies somewhere in Rule #6 (part of an upcoming series; stay tuned) which states “I believe my company’s success is my responsibility. I understand that being ‘compliant’ does not mean I am safe.”