Not a week goes by that I don’t, in some way shape or form, have a discussion about security concerns around cloud computing. The perception of many small and medium business leaders is that having your systems within your four walls is inherently more secure than if they were hosted with someone else such as Microsoft, Amazon, or Google. I understand this concern and think it’s absolutely necessary to ask security related questions like this when considering a move to the cloud.
The good news is that all of the major vendors offer detailed information on their security controls, audit logs, access control, encryption, etc. You could spend weeks reviewing the details or minutes reviewing the high level summary information. For regulated industries, such as healthcare and banking, organizations are often pleased to learn that the cloud solution they are considering meets or exceeds the security requirements of their regulating body.
The decision of cloud vs in-house, in many cases, is really just a matter of WHERE the system is hosted and the question becomes – Which do you trust more – YOUR datacenter or that of the cloud hosting company? In most cases I feel very strongly that the more important determinate of security is in HOW the systems are configured, regardless of WHERE they are physically located. For example, if you don’t have a good procedure in place for disabling terminated employees user accounts this is a concern for in-house or cloud systems alike! If your employees are accessing email or other data on mobile devices you should have a way to control mobile device security settings and delete the data off those devices in the case they are lost or stolen – regardless of WHERE your email system resides.
What I see with many small and medium sized businesses is that cloud often enables an overall security posture level that was not feasible when those systems where in-house. An example of this is with the Enterprise Mobility and Security Suite (“EMS”) as part of Microsoft Office 365. With EMS, organizations get enterprise level control over data on mobile devices with features such as dual factor authentication, encryption, data loss prevention, remote wipe capabilities, and many more. Prior to cloud solutions like EMS, many of these options were out of reach for small and medium sized organizations due to cost and complexity – but NOT ANYMORE!
My advice is to explore cloud migration opportunities with an open mind. You may be surprised to discovery that the cloud option is simpler and more secure than the in-house option you are evaluating.