Aviv If we continue that thought we will pretty much reach a conclusion that that has been exacerbated by the adoption of cloud services, and storing your information actually off the device, whether it be tablet, or PC our information actually now exists somewhere else in some nameless, faceless data centre, and you don’t know who owns or runs it. Definitely the key challenge will be how to protect the key asset which is the data that you want to store and want to protect. How do you lock it to the individuals that needs to access it – be it on the cloud or on your tablet or in your own organisation?
Keith I would like to envision a world where you have no information on these devices. Everything stays in the data centre; you access it and nothing gets downloaded. If it gets compromised there is no information there, and then you can have the administrator go in to wipe the device, and that’s really how I would be talking to clients. Your managed services would be much more secure than your typical SMBs own network. They can use Australian based-hosters so that if there’s issues about not knowing where data is we can actually bring that back depending on the data. We should be thinking about the problem that way.
Sean A lot of people assume cloud services provide security but security is often excluded from terms and conditions so you do have to watch that.
Keith We are seeing that starting to change slightly, although customers are of course paying more for it.
Sean I’m a big fan of encryption everywhere. If you’re a small business or a medium business or an enterprise and you’re using cloud services you should be holding on to the keys, encrypting the stuff that’s going up there. It provides you with huge safety as far as being able to say – even as mandatory breach legislation comes in – ‘well the data was encrypted’ and you don’t have to report it, so no worries.
Sanjay With small or medium business, you shouldn’t assume your cloud service provider is secure, but it may well be more secure than you believe.
Sean I’m not saying they’re insecure, but terms and conditions don’t really specify security. So their hosting will be more secure probably.
Keith By the same token, there’s not a single security vendor product in that SMB’s network with the vendors backing it either. No security vendor says ‘if you’re hacked we’re going to pay you’. There is a company in NZ offering ‘Hacking Insurance’. I was at a risk insurance manager’s conference a while ago, and they talked about cyber insurance in the US. One point made was that cyber insurance was mostly to get access to the team of people who know what to do when you get breached, who to notify and how to do it, the instant response, rather than getting paid out because you got hacked.
Aviv Cloud services represent a significant opportunity for small businesses, particularly those seeking to dramatically improve their services. But I think the security will be embedded in whatever product they’re offering because in general small business just expect it, and we should expect it as well, that security is part of that service. I totally agree with you on threats and countries and the access to broadband infrastructure. We see that time and time again. I’d also point out most Australian companies I’m dealing with already have data overseas, so I think that that has already happened. Even if they don’t know about it, the cloud, they will have some sort of data overseas.
So the use of things like encryption, where you control that data, even if that data is in some jurisdiction that you don’t know about, is quite important.
CRN Is there not a feeling amongst some of your customers with regard to security as a service, is there a bit of a trust barrier for companies you perceive, having your security managed in the cloud – given that there is a degree of uncertainty about the cloud period – in offering security in the cloud. It strikes me that some customers might be uneasy about that.
Keith I would say that there has been a change in the market. About five or six years ago I saw probably 50 percent of customers saying ‘no cloud security, I’ve got to keep it in house, I’ve got to control everything’. I don’t see that any more.
Aviv A lot of customers are realising that by using online services, you actually get to benefit from the experts and they often get a bird’s eye view of attacks and threats coming from multiple customers, and they can correlate that and collect this data, and come up with some really intelligent decisions and mitigation steps. A customer trying to cope with that themselves may not have that same view.
Aaron On the sort of questions that you can ask our providers I agree that most have a key policy that says that the ‘responsibility of securing the data is the clients’, not the cloud providers’. Typically their key responsibility and what they actually do, is to protect one client from the other. They literally separate the tenants and once they give you your computing power, it’s up to you to use it. There are some elegant solutions, in order to encrypt that data and maintain control of that data, and we should be educating clients about that.
Keith I agree, because you can’t delegate accountability and it always resides with the customer to do it. Email is a really good way to start in a cloud based service, because it’s already clear text going where you don’t know. So it’s a really good way to get in. The next thing may be to use development environments, where you shouldn’t be using legitimate data anyway. You can start it up and down to let people get familiar with that while they start to get those relationships going, and learn that way. Then again there are some things you never put in the cloud.
CRN That brings us full circle to the beginning of the conversation. Do you think small businesses even understand what is most important in terms of their information?