Is Cloud More Secure Than On-Premises Software?

Security is the most common objection people - or companies - raise against the adoption of a cloud based solution. There have certainly been enough stories reported about compromised passwords and other security breaches at cloud based services such as Dropbox or iCloud. Emotionally, it feels like having our data stored somewhere where we can’t see it is just not very secure.

But let’s face it, we’ve had our money stored somewhere where we can’t see it for decades. Yet we seem to be completely trusting of our banks. Nobody is arguing that our money would be more secure under our mattresses. Quite the contrary, we rush to put our money into the banks knowing full well that the bank doesn’t actually keep the money. At the end of the day, it is just an entry in a computer database somewhere...somewhere...in a cloud. Or private cloud to be more precise. In any case, we consider banks highly secure today.

And so, the latest argument about cloud security goes in the opposite direction. We are beginning to realize that the cloud companies have more at stake, and so they are likely investing into security more so than a typical company ever would or could afford for its on-premises software.

Let’s take an example. Thousands of companies across North America have been using ADP to process their payroll for many years. ADP’s payroll processing is a cloud based application - it has been long before we knew what the cloud was all about. ADP even offers to outsource the service, not just the app.  Yet as far as security goes, nobody is screaming that it is preposterous having all the highly confidential personal data stored at ADP. In fact, most people think that it is probably safer at ADP than it would be if processed by their own employer.

Indeed, cloud companies are increasingly considered capable of providing more security features than companies running on-premises software. Just yesterday, Dropbox raised the bar by rolling out a two-factor authentication. How many of your on-premises applications have that?

But then again, the cloud companies are a much bigger and more attractive target for the bad guys. The hackers might never pay attention to your company and your data center but they sure know about Google Apps, Dropbox, Amazon EC2, Microsoft Azure, and Apple iCloud. Hacking a big name cloud company is just a very lucrative target that many hackers see as a challenge they can’t resist.

So what gives? Is our data more secure on-premises or in the cloud? Well, I suppose there is no black-and-white answer out there today. There are many considerations that need to go into software selection - on-premises or in the cloud. Security is certainly one of them. And we can be sure that the security debate will remain a hot one for quite a while.

The Need for Privacy

The marketing guru Seth Godin wrote a blog post recently in which he claimed that the notion of privacy is an illusion and that we don’t really have any privacy today. He’s argues that people don’t really care about privacy - the only thing they care about is being surprised.

I’ve been thinking about this post and it has been bugging me. Yes, I do agree that we have less privacy than we often realize. I know that my bank knows how much I earn, my credit card company knows my spending habits, my doctor knows my health status, my mobile phone company knows where I travel, Facebook knows all my friends [who are on Facebook], and Google knows pretty much everything I’m up to.

But that information is compartmentalized. My bank doesn’t know my spending habits. My mobile plan provider doesn’t know what I am searching for online and my insurance company doesn’t know my exact health status. It is important that it remains that way. The triangulation of information is the real danger. If my mortgage company gets access to my health records, that’s bad. If my mobile plan provider got access to my friends, that’s not cool.

I accept that my physician knows my health and I accept that my credit card company knows where I shop for clothes. I trust that they will treat my data with confidentiality because their survival as a business depends on that. Whether regulated by law or by market forces, every business has to treat its customers’ data with confidentiality. A doctor who doesn’t keep patients’ privacy confidential, breaks the law and won't be a doctor for much longer. A cell phone company that discloses whom I am calling without a court order breaks the law and has to be punished.

It is the triangulation of data that makes me really worried. When a harmless-looking iPhone app starts collecting info from other apps, that’s not a surprise as Seth Godin calls it. That’s a criminal activity. Just as if my doctor started sharing my medical records with my life insurance provider would be.

We do care about privacy. There is a different degree of privacy awareness among different demographics, likely depending on their culture, education, and other factors. Forrester Research recently published a global heat map on Privacy and Data Protection by Country which clearly shows that the US is below-par compared to many other countries - although still ahead of China and Nigeria. Clearly, some countries take privacy much more seriously than the US. But even in the US, we care about privacy and we want it really bad.

Forrester Research: Privacy and Data Protection by Country

Having companies provide me with service and collecting detailed information about certain parts of my life along the way is OK. But swapping that info with other companies is unacceptable.