Monday, November 2, 2009
As computing moves out of the desktop and onto the Internet, worries about security have mounted. If you store data in another company's servers, in the cloud so-to-speak, how can you be confident that it is safe? Earlier this autum, I completed a a tour in Europe, including stops in Italy, Germany, France, Belgium and the UK, and will soon travel to Spain and Holland to explain the counter-intuitive notion that data actually can be much more secure in the cloud than on the desktop.
Cloud computing, when IT software and services are delivered over the web and through a browser, is a paradigm shift, similar to taking your jewellery out of your sock drawer and placing it in the bank. The bank has the economies of scale. It has guards, robust safes, video surveillance — much more than any security investment you can deploy yourself. The same is true with data. Cloud providers such as Google are equipped to protect millions of users' data every day. As a customer you get to enjoy these economies of scale at minimal expense. We have over 1000 people dedicated to Google Enterprise, including some of the world's best security experts who are helping to make sure that your data stays safe.
It's enough to look at newspaper headlines any day of the week and read about lost data. Data on USB keys, lost or stolen laptops, MP3 players, etc. A report released last year by Credant Technologies found that London taxi passengers left more than 60,000 hand-held devices in the back of black cabs over a period of six months in 2008. Some 55,843 mobile phones and 6,193 other devices, such as laptops, were forgotten.
Businesses dedicate a lot of time and resources to protecting their data. So what goes wrong? As reported by the IT Policy Compliance Group last year, human error accounts for three quarters of all incidents involving the loss of sensitive data. When I was a Chief Information Security Officer for a major financial services company, I used to tell my team, "make it easy for users to do the right thing and they usually do." Employees are generally not malicious — they want to work from home as part of getting their work done. Indeed, today's young employees consider working 9 to 5 and always at the same desk increasingly alien. Allow them to access data anytime and anywhere, while it is still stored and protected in the cloud, and you automatically eliminate many data loss risks. In fact, this blog was drafted in my office back in California, edited in my hotel in Europe on a different PC, shared with my colleagues, and now posted from a colleague's laptop. At no point was it emailed, downloaded to my desktop or put on USB stick. It was all done in the cloud and protected by the cloud.
The cloud offers several other important security advantages. Most organizations take 30-60 days to install security patches on their systems which is a major concern in its own right. In fact, many companies I talk to admit it's closer to 3-6 months to install a security patch. This means that traditional IT systems and applications are open to known security vulnerabilities for a very long time. By contrast, we run a very homogeneous computing environment, so when it is time to patch we can do it in a rapid and uniform manner to all of our systems.
Finally, there is the question of physical security of our data centers and reliability of our products. At Google we replicate users' data to multiple data centers. If one data center goes out, our infrastructure helps ensure that the data remains secure and accessible. While in Europe, some unfortunate news helped prove my point. I was in Milan when a flood swept the country and knocked out several key data centers. Although it affected a number of local businesses, Google customers saw no disruption of service.
Admittedly, no system is 100% foolproof, or 100% secure. Back in March we had an unfortunate programmatic error that caused a Google Docs sharing problem. However, we were able to respond quickly because it happened in the cloud. The issue affected less than 0.05% of our users' documents, and it was corrected without our clients having to do anything. No software to install, no upgrades, no configuration changes, etc. And we worked closely with the affected customers to inform them how it impacted their documents.
From time to time any system will be affected by some security issues. The real question is what people, process, and technologies do you have in place to minimize the impact of these incidents, and how quickly can you respond if anything goes wrong. We designed our systems with security in mind and have a 24x7 security team looking at new threats and able to respond in a rapid manner. I'm confident that they address the sorts of concerns organizations have with their currently in-house managed systems. More than 2 million businesses have already signed up for our Google Apps suite, and this number is expanding by an additional 3,000 businesses each day.
We're convinced that the future of computing lies in the cloud. Cloud based solutions are cost efficient, collaborative, and — more often than not — more secure to operate. While in Brussels, I observed that European policymakers are taking note. At least three studies on cloud computing undertaken by the European Commission and its security agency ENISA are in the pipeline, and we also talked about ways to demonstrate to professional and personal users alike how we respect our users' security and privacy. Instead of seeing security as a negative factor weighing down the transition to cloud computing, I hope I helped explain why it should be perceived as a benefit.
Posted by Eran Feigenbaum, Director of Security for Google Apps