For the past few years now, I’ve worked in the Health Insurance industry. I remember going to work on one of my first days there, and not being able to get to Google Drive. Not only that, I couldn’t open a Google Doc, or use any of a host of Google tools. It was then I was told that due to security concerns, specifically the protection of Private Health Information (PHI), and HIPAA compliance, we were restricted from any file sharing sites that were hosted in the Cloud. And it only got worse. As I came to find out later, not only were employees restricted from the Cloud, but none of our applications and products used cloud storage. All our storage was in our own data centers. Coming as I did from a company that embraced the Cloud, this experience felt so backward, and I’ve been doing a slow cynical burn about it ever since.
Having said that, when I first began Bernard Golden’s article on “The Case Against Cloud Computing”, and in particular because of reasons having to do with HIPAA compliance, that burn kept right on going. But thankfully I stuck with the article, and Golden’s real feelings on the topic became clear. Because I quite agree with him. I don’t see “The Cloud” as the risk everyone else seems to. First, imagine trying to recover lost data if one of your own on-site data centers goes down, and you have no redundancy. Or trying to switch users to another data center if both of yours are in the same geographical location. Business continuity concerns are just as great, if not more so. Second, that is why the Cloud industry spends billions of dollars a year on cloud security. Your data is just as secure from thieves in the cloud as it might be in your own local facility.
The key, as indicated by Golden, is to thoughtfully manage risk while not being frightened by new technologies. This is done through risk assessments, deep dive analysis of a potential cloud partner’s capabilities (how do they manage risk on their side), and an understanding of how your organization addresses security challenges today.
Sources:
Golden, B. (2009, January 29). The Case Against Cloud Computing, Part Two [Editorial]. Cio.com. Retrieved from https://www.cio.com/article/2431044/cloud-computing/the-case-against-cloud-computing–part-two.html
I liked this post. Having a bit of a background in IT Security, I found the post well done. I think that risk assessment would be a full time career for someone as the “black hats” seem to be way ahead of us “white hats”. Basically, this is because we are reacting to the threat rather than being able to anticipate the threats.
Your post brought back memories. When I worked in the health industry, I remember how cautious my company was about handling PHI and avoiding HIPAA violations. There was no such thing as “cloud” back then, but, there was Google Mail and that was blocked like in your experience. I also found that odd because nothing is special about web email. Web email clients are not so fundamentally different from blogs and forums: both allow reading and writing information. If my company’s concern was to prevent sneaking out a proprietary document, then why not simply block file uploads using a web filtering device?
I enjoyed the post,while the outlook for migration to cloud services looks bullish according to the cloud pundits, but there are enough incidents (Intel chips security flaw) should cause prospective clients to pause, re-consider, and proceed with caution. At the very least, mission-critical applications may not be ready for the cloud without extensive and expensive failsafe measures in place. Moreover, clients must be willing to accept possible cloud-services failures as an integral part of running business on the cloud, much as they must be willing to accept inevitable services outages for their non-cloud-deployed services.