Last week, I spoke at an event to people with on-premises Exchange environments who were looking to move to a cloud-hosted service like Office 365. Every time I speak on such migrations, someone in the audience raises his hand and goes off about the latest cloud hack to suggest the cloud is unsafe. It happened last week, too.
How am I -- or anyone -- supposed to respond to the naysayers? Yes, I know online services have been hacked. I’m also aware that many of these folks, while sincere in their desire to protect their data, are also uncomfortable with losing control over it. It’s a sensitive subject, to be sure.
I have a response -- but it's not a technical one.
It begins with making an effort to understand the core claim. In this case, the cited hack was that of Apple's iCloud, which was an easy one to address because iCloud itself was not in fact hacked. Instead, people fell victim to phishing scams, which let hackers use their iCloud credentials -- phishing can be used to access any online system, including those in your data center. (As I’ve said before, I believe two-step authentication is essential to ensure a greater level of safety.)
After I explained the iCloud "hack" wasn't what it seemed to be, I expressed that validity of security concerns, as such incidents trigger the basic fear that all people have when putting data online. But I also emphasized the real solution was to provide solid security measures, not to blame a whole platform for poor security by one provider or implementation -- cloud or otherwise.
My next step is appeal to their sense of time (or lack thereof). I explain that I understand with on-premises security over data, IT admins know who is responsible for security and believe it to be safer in those known hands (it maybe their own). But I also point out that many IT admins are running around with too much on their plate. Security has become a full-time job and requires a tremendous amount of expertise to do it right on-premises. For all the fear of the cloud, the fact is companies are routinely hacked, and many never even know it. In reality, your on-premises systems are not more secure than the cloud.
Don't forget: Cloud providers can have people working 24/7 to improve security. They can also invest much more money into data security than any individual company can.
Jesse Lipson, then CEO of ShareFile (now owned by Citrix Systems), once wrote our belief that we can do a better job of securing our data on-premises than a cloud provider can is a case of our brain playing tricks on us: “Your brain is conflating control with safety. This same fallacy is what causes some people to be afraid of flying on an airplane. Because they are not in control ... they become afraid.”
Lipson continued, “Most cloud computing companies are like experienced airline pilots.” They are well trained, have alternate plans, and know the implications of a hack or crash on their bottom line.
At the same time, I still put the onus on the consumer to choose an elite security solution -- they aren’t all equal. Before purchasing an on-premises system for storing and securing data, you must do a tremendous amount of research. Yet it seems that some people do very little research -- if any at all -- before moving their data to the cloud. That’s a mistake, obviously.
You have to ask: What is the reputation of the company storing your data? Has it experienced a breach? How long ago? What SLA does the company provide? Is there encryption of your data both in motion and at rest? What recourse do you have should a hack occur? What if you wanted to get your data back?
What usually comes next -- it did last week -- is the cloud objector saying, “Even though I may not be able to give my organization the time and skill set perhaps that a cloud vendor could in terms of security, right now I’m a small fish that nobody is targeting. But if I put my stuff in the cloud, the vendor may be the target and I get caught in the data breach.”
That's a plausible dilemma. Therein, as they say, lies the rub. You're the innocent bystander who does everything possible to ensure users are trained, make security a key objective, and choose a solid vendor. But a weakness is found in your provider, which is breached, and now your data is compromised. You're convinced that had you remained on-premises, this never would have happened.
It's hard to argue with that. Going to the cloud indeed takes a leap of faith, and only you can make it. You have to live with the decision, so ultimately you are convinced the security in the cloud is adequate -- or you aren’t. If you're not, wait until you feel safe enough to make the move.
There's no need to bully folks into the cloud. It will happen in its own good time, when people feel safe enough entrusting their data to the cloud. It may take a good long stretch with no breaches (real or false) to create the trust the cloud is a safe place for your infrastructure and data to live.
That's an emotional decision, not a technical one. Be clear exactly what it is.