When Hurricane Sandy hit the eastern seaboard of the United States, disruption to business was massive. With the New York subway closed and widespread power cuts across the region, disaster recovery plans were tested to the limit.
This is the kind of situation that could be expected to exceed the scope of any contingency planning. But the clients of Savvis, a global data centre and cloud computing provider, found their data was unscathed.
Savvis has seven data centres on the US East Coast, running a cloud environment for a vast assortment of businesses. These data centres have been constructed along solid design principles that saw them located on high ground and with power supplies independent of the electricity grid.
This example illustrates why handing over large parts of a company’s IT real estate to a third party is often a much more secure option than keeping software and hardware in-house.
Andrew McCreath, director of cloud for Savvis in Europe, notes that the facilities available to a $1-billion company, devoted exclusively to storing data securely, offer a huge degree of reassurance to any business.
What is true for keeping data safe in a disaster is also true for keeping it private. Any well-resourced service provider almost certainly offers more profound technical security than the IT department of most businesses.
Security worries, which keep certain information out of the cloud, often boil down to concerns about human access
Even though many firms appreciate this in the cold light of day, most remain reluctant to hand over information that is sensitive to their business – and the definition of “sensitive” varies from firm to firm.
In a retail bank, for example, the crown jewels are certainly client data. The cost of a breach of data integrity goes well beyond the individual event to the core of the firm’s reputation and credibility with its customers.
For other firms, the most sensitive data contains the proprietary information that gives a business its competitive edge. AMV BBDO the UK’s biggest advertising agency is currently shifting its day-to-day IT operations into the cloud, via Microsoft’s Office 365 service.
But it is keeping in-house the sensitive research information that provides critical insights into consumer behaviour. This approach to the cloud recognises the economic benefits of handing over mundane IT matters to a third party, but also realises the need to segregate certain vital files.
“All data is not the same,” says John Manley, director of cloud services at HP, the world’s largest technology company, in Bristol. Mr Manley points out to cloud providers that the security worries, which keep certain information out of the cloud, often boil down to concerns about human access. But, by automating all cloud processes, these can be allayed, he says.
Mr Manley advises businesses entering the cloud to undertake a completely frank risk audit to help identify the data that is too precious to farm out. This should address the legal, financial and reputational risks associated with any breach of data held online.
So-called “data sovereignty” – the national laws concerning data privacy – add another dimension that cloud providers must consider. In the rush to park information with online service providers, a lot of companies have found that having their data stored abroad bangs up against national laws on privacy and data protection. For example, businesses holding information on French or German customers are subject to strict national laws limiting third-party access to that information.
Data sovereignty, it turns out, is the biggest worry for businesses in the cloud. Some 32 per cent of respondents to a recent IDC survey of 1,000 European businesses said this was a barrier to greater adoption. Finding a cloud provider who can guarantee which jurisdiction sensitive information ends up in is crucial. Half of Savvis’ 52 data centres are cloud-enabled, for example, meaning the company can ensure that client’s data is hosted in the jurisdiction that suits them.
This is not to underestimate the dangers of security. Security and data protection came a close second in the barriers identified by IDC’s research. But the lesson here is not ultimately about security standards in the cloud. It is about spotting which data simply does not belong in any third-party online environment. Businesses need to start by working out which data should never leave the building.