Public Cloud Security: Taking a Balanced View

It was only a few years ago that IT leaders who were asked to move systems to public cloud environments would push back. After all, how could they possibly entrust security to an unknown team of people operating out of their sight and control?

Fast-forward to today, and the security posture IT leaders take when overseeing migrations to public cloud environments is decidedly more measured.

“We’ve moved on from a lot of the oppositional concerns to full-blown assessment and transition,” says Eric Hanselman, chief analyst at 451 Research. “The main reason for hesitancy was lack of understanding. We’ve always assumed that all of our IT infrastructure was physically within our grasp. Moving things out of our physical control is always disconcerting.”

IT executives will have to get even more comfortable with giving up control, as every indication is that the public cloud will become an ever-larger part of the IT footprint. IDC forecasts that global spending on public cloud services will grow at a compound annual rate of 23.5 percent over the next few years, reaching $107 billion in 2017.

Even when companies have had good reasons for doubting the security of their public cloud providers, the likelihood has been that whatever weaknesses were exploited were the result of lax internal security practices rather than technological glitches.

“Blaming the cloud for security problems is like blaming a house for getting broken into,” Bruce Guptill, senior vice president and head of research at Saugatuck Technology, said via email. “If you leave doors or windows unlocked or poorly locked, if you leave expensive goods lying around in sight, if you don’t manage the house like you want it to be secure, it won’t be.”

Getting Comfortable With the Cloud

That perspective goes a long way toward explaining why Chris Romano, CIO of Ward & Smith, a 275-person law firm with five offices throughout North Carolina, has so few concerns about public cloud security.

Romano has overseen Ward & Smith’s adoption of a handful of software-as-a-service (SaaS) solutions. His approach has been characterized by three things: a preference for providers that cater specifically to the legal industry, a healthy focus on due diligence in selecting those providers, and paying close attention to the security details the firm can control.

“My take on these types of industry-specific providers is that after we’ve done due diligence, I’m very comfortable with the state of security,” says Romano. “That being said, it’s a moving target. There’s certainly a responsibility on our part to make sure our Internet pipe is secure, to make sure the way people access their data is secure, and to make sure we’re following best practices.”

Among the industry-specific SaaS solutions Ward & Smith uses are NetDocuments (document management and email archiving), FoundationIP (managing IP-related cases), and Intelliteach (help-desk ticketing for law firms). The firm augments those with services such as Epicor (HR information) and ADP (payroll).

This list is likely to get longer, as Romano foresees the firm “adding more [products] to the mix if they make sense.” For instance, he’s currently evaluating a couple of SaaS-based case management products for specific types of cases.

Still, even a CIO who has as much confidence in public cloud providers as Romano does sometimes finds those old security concerns holding him back.

“I would have a real tough time convincing the firm to put accounting data in the cloud,” Romano says. “They’d have a really, really rough time making the leap of faith to put their financial information outside the data center.”