Access and security – two major considerations when contemplating moving your systems and information from internally-maintained systems onto platforms and solutions hosted through the Internet. Company files, patents, trademarks, proposals, customer lists, vendor lists, price and cost arrangements – this type of data arguably comprises the most valuable components of any business or organization. How and where this critically sensitive information is accessed and stored is vital to ensuring their value. Prior to “cloud”computing, the migration to Internet-based systems and storage of information, every company internalized their systems and data. Access, security, safeguarding… were all directly addressed by the business mainly through in-house systems and solutions. Physical safeguards could be as simple as maintaining a secure area within one of your own buildings. In the end each business had a direct connection to their systems and information, housed mainly in-house. Fortunately or unfortunately, more and more IT has been, and continues to be, shifted to external on-line solutions, relying on the controls, policies and procedures of other third-party outside entities established by contract to ensure the security and safeguarding of your information.
Access – allowing those authorized to have access, anytime, anywhere, and even more importantly, keeping those who are not authorized from accessing it. The safeguards (both systemic system controls and manual-based policies and procedures) will dictate how strong the system will be, but how these controls, policies and procedures are maintained on an ongoing basis is potentially even more important. Systems change, personnel change, and non-compliance to any safeguard could result in best case scenario, unauthorized access to your systems and data, and worst case scenario, the compromise and theft of key valuable proprietary information.
Security – how secure is your data, the systems, and the uninterrupted continuity of both? How are the systems and data secured both physically and electronically? As with access, the system and manual controls implemented will dictate how strong security is over your information, but ongoing compliance (and assurance that compliance continues) are also critical.
Some issues I have yet to overcome to allow me to support the “Cloud” movement – 1) what happens if a dispute develops between the contracting business using cloud services, and the cloud provider? Under the old in-house configuration, the business simply withheld payment to the outside IT folks, and found new IT solutions while the differences were resolved / litigated. Under cloud-based solutions, the cloud provider could simply turn off access to their cloud-based systems (and data), holding all the leverage towards resolving the dispute. Relationship good – switched on, and relationship goes sour – switched off (no one has access to anything).
2) Today’s denial of service attacks on websites in response to the US Government’s abrupt shutting down and taking over www.megaupload’s website identify two genuine risks to access and security of your on-line systems and information. First, what if your business relied heavily on moving files back and forth between locations, sites, countries… using www.megaupload’s site. The government’s decision to abruptly shut-down the company’s website service and business directly impacted your access to the files stored, or in transition, let alone having you find another solution to continue running your business. Could the government do something similar to any web-based giant many businesses rely upon, sites like Google? Who knows? The fact is, abruptly today, with no notice for planning, the government shut the site and business down, ending all communications with it, resulting in holding all the leverage in resolving any issues the government had with the organization or its practices. All the while, the megaupload’s business will remain closed, and any business or individual who used it will be left out, looking in from the outside. It is similar to when the FDIC abruptly takes control over a financial institution – an abrupt closing, with no notice, leaving banking customers looking in through the doors wondering how and when they will ever gain access again to their funds. One major difference history has shown is the banks tend to re-opened shortly after take-over, and the denial of access to funds is short lived. When and if websites and internet-based solutions that are shut down will ever be open for access again is anyone’s guess.
3) Notwithstanding the government’s take-over, individuals and organizations with ill-will can also interfere with access and security to your systems and information. Today’s denial of servcie attacks caused shut-downs of systems, preventing any access until the attacks were addressed. How could a denial of access attack to your cloud provider’s system impact your access, your employee’s access, your customers’ and vendors’ access? How much business would be lost if access to your systems and data was lost for even one business day? The scenarios are not hard to imagine. One cloud provider seeking more business could orchestrate a denial of access attack on a competitor’s cloud system, with the goal of luring the competitor’s customers over to their systems. This type of “competitive” activity has always existed. Why would anyone believe it wouldn’t within the electronic world?
Perhaps I am less open-minded to expanding into “cloud” solutions based on my experiences in forensic and litigation matters, where loyalties, contracts, duties, services, systems and data have been routinely violated regardless of the safeguards, controls, laws, regulations and consequences that existed. In the end, today’s attacks continue to show me just how vulnerable businesses and individuals alike are, if they are heavily vested and reliant on solutions outside of their control for accessing and utilizing their systems and information.
Here’s an article relating to today’s attacks: