Cloud Security for SMEs

I often see postings, or hear discussions asking if the cloud is sufficiently secure for SMEs.
Like any good consultant, the appropriate answer is it depends – or does it?

Earlier this year I had the pleasure of undertaking the Cloud Security Alliance course and exam leading to the Certificate in Cloud Security Knowledge (CCSK). It quite correctly teaches a methodology assessing all factors that contribute to the risk. Good stuff, but…

This is a process and skill set beyond the non-IT savvy SMEs. They could hire a CCSK consultant to help them (my rates are…), but most won’t, the benefit of the cloud is cost saving, this sounds like it will add cost only to tell you something that is much simpler.

Here’s my hypothesis:

  1. Choose a provider that has a good brand reputation. The key here is making sure they have more to lose (brand reputation) if the security of the service fails than you do.
  2. Forget the advice about negotiating the SLA etc, you won’t be able to, you are simply not spending enough money. Read it and accept it, or look for a different provider.
  3. Forget about service credits, these will be insignificant compared to the cost of the lost / stolen data
  4. Only use it for things that will not kill you if lost. A lot of stuff may be embarrassing and cause some temporal challenges, but rarely business ending. Don’t use if for your 100 year old secret cake recipe
  5. The ability to easily migrate would be good, but the technology is not mature enough for that dream yet
  6. Is it suitably backed up. Suitably is the key word – can your business continue to operate if the provider misses their recovery SLA, because the probably will. It’s no use shouting at them to do it quicker – they won’t (voice of experience). Email is a good example here, if the server fails, many people will have a local copy on their phone/iPad/outlook client, so not as disastrous as it could seem for an interim period
  7. Get the users to choose a good unique password, this is normally the weakest link
  8. eDiscovery may be a challenge, but I argue no better/worse than if insourced
  9. Think about what could go wrong, at think at a business level (not technical level) how to mitigate the risk

The first point is the key one, and a major influence in my decision to outsource Nexor’s service to the cloud. My justification is, a good cloud provider is in a much better position to secure the service that a typical IT person in an SME is able to secure an internal infrastructure. What is more, securing an internal infrastructure is getting harder week by week. So leave it to a suitably validated professionals, who will probably save you money at the same time (at least move the cost model to operational expenditure from capital expenditure).

Analysis of the approach:

  • Against best practice advice. Almost certainly
  • Any better than a full risk analysis. I am not convinced you’ll probably make the same decision, just be bit better informed.
  • Would I propose such an approach if the assets you were considering moving to the cloud are mission critical, or your core intellectual property (that 100 year old cake recipe again). Absolutely, certainly not. If the asset is such that it’s theft or unavailability will do your business or mission real harm, you need professional help.