Cloud vs. Desk: Which Is Safer?

When assessing the merits of hosted solutions, the first impulse of some businesspeople is to question the security of software-as-a-service, aka "the cloud," but the day when nearly all business data is stored off-site in a remote data center is fast approaching.

According to information technology professionals contacted by IB, there is nothing inherently wrong with continuing to store data on-site (aka the "desk"), as long as there is remote backup. There are several reasons why companies don't move all their data to the cloud. They might have legacy systems that have served them well, or it might not be cost effective to change. For the sake of disaster recovery, it's certainly practical to have data stored on premises with back-up storage at a data center.

In short, there may be no great need to put everything on the cloud, but the overwhelming trend is toward offsite storage in a data center, which our experts consider to be superior from a security standpoint as long as the right protocols are in place.

"The nice thing about a hosted solution is that you don't have to worry about protecting the data, but businesses do need to choose a provider that has a good reputation and have a reasonable assurance that they are going to be able to get after the information they need," said Wesley Gill, CIO and president of data back-up for Gillware.

To cover some safety ground, IB talked to Gill and to Scott Holewinski, president of Gillware, and to Justin McGuire, a member of 5Nines who's in charge of the company's systems department.


SaaSy solution

The allure of "the cloud" is obvious. Instead of worrying about whether your accounting software is stored on a machine that could crash, an entrepreneur can leave the worry to others and focus on his or her business model. The decision isn't that cut and dried, however. McGuire said that when contemplating a hosted service, the primary issue is the credentials policy – the password policies, protocols, and physical security of the remote data center.

"Typically, it can actually be more secure to use software-as-a-service as long you're following best practice standards," McGuire said. "Use FTPS or SFTP versus FTP (file transfer protocols), SSH versus Telnet (network protocols), HTTPS versus HTTP for the URL. Secure remote desktop services with SSL encryption.

"If you do your homework and verify what types of protocols you're using to transfer your data, it shouldn't be any less secure than it currently is, and it's probably more secure multiple times over than it is when located on your premises."

When McGuire speaks of protocols, he means network protocols. When you go to your bank's website, and it says https instead of http in the URL, that means it's a secured website, and that it's verified by a third party. "There is actual encryption going on for all of the typing that you're doing and all the mouse clicks you're doing for everything on that site," he noted. "There are some websites that don't enforce that, and anything else that's sitting in between the destination server at the data center, and the user and all of the data, is plain text. You can sniff it, collect it, and grab it."

That's why business consumers need to make sure they are using secure protocols, and that depends on the type of service. "If you're running a Web-based service, you need to be using some SSL-backed website, and https rather than http," he said. "If it's a remote desktop, you need to be using some sort of secured gateway rather than just a remote desktop connection – all of your Citrixes and modern Windows terminal services, which include those kinds of things by default.

"It you are http-ing information, or you're using that older terminal pipe system, or some kind of ERP system, you want to be using SSH rather than Telnet. It's the weakest link kind of thing. If you've got your password stuck to a piece of paper underneath your keyboard, you can be on the most secure system in the world, but it's not really going to stop anybody from going into your stuff."

Researching prospective data centers involves examining their certifications, compliance, or accreditation (SAS 70 data center accreditation, PCI security standards, HIPAA privacy), and even taking a facility tour, if possible. McGuire rifled off a series of applicable questions. "What kind of security systems do they have? What kind of access do people have? Are other people able to get into the data center unescorted?

"As for the systems themselves, where are they sitting? Are they in cages? What other types of systems does this company host in its data center? What types of back-up systems do they have? What types of external power sources do they have – generators or contracts for fuel?

"The average business, at least the small to medium business, is not going to be too concerned about this stuff because if they have any one of those things, it's probably going to be more than they have at their office."

While it would be okay to ask which companies store their data at the data center under consideration, McGuire said it would suffice to ask about the types of businesses. If banks or credit card gateways are storing data, you know it has gained a certain level of trust with regulated financial organizations.

Devil's in the details

One consideration, according to Gill, is what happens legally when your service contract is cancelled? Can you copy your data on a disc or on premise so that it can be accessed whenever it's needed? What if you miss a payment and there is a potential problem with accessing the data? These questions should be addressed in the service contract.

"I highly recommend that people using those solutions make their own copy by downloading from the Web, or through back-up that is available from some providers," Gill said. "It must be stored so that you don't end up in scenario where you can't access your data. It becomes a question of whose data is it?"

In general, a business should keep its most privileged or confidential information in the most secure place. That means accounting records, customer relationship management records, and key documents and spreadsheets. "What is the lifeblood of business?" Gill asked. "It's not the same answer for every business, but everyone starts with financials."

Holewinski added: "If you look across most of our small business customers who bring their drives in for data recovery, they are looking for Quickbooks, their email, and then their office documents like Power Point, Excel, and Word. From a business standpoint, there might be some engineering firms looking for engineering drawings and things like that, but most small businesses want emails, financials, and general office documents."

Since it might not be feasible to have every piece of data on a hosted application, there will be some information on your desktop worthy of protection. The best way to protect it is with a hosted back-up solution, Gill noted.

Not a new thing

Despite perceptions to the contrary, software-as-a-service is nothing new, and McGuire emphasizes that point to companies that are concerned about the "newness" of hosted solutions. Every time you conduct a Google search, you're using software-as-a-service. Intuit and are software-as-a-service. "Even co-locating equipment is kind of a hardware-as-a service thing," he noted. "Your bank, all of your financials and data like that, is essentially stored on software-as-a-service.

"There is no way out of it. You're already doing it. It's just a matter of whether or not you want to continue down that path and take advantage of it even more."

When some hear the term cloud computing, they might think of it as something intangible, but one of the misconceptions about SaaS is that it can't be penetrated. "Anything can be penetrated, ultimately, and everything ultimately leads to a physical device," McGuire noted. "Do I think it can't be touched? No I don't. It can be touched. It's in our data center. The services that we offer, the software we offer as a service, is physically a device in our data center.

"I'd bet it's a lot more secure there than it is at a lot of our client sites, when it's in their closet or even in their own onsite data center."

Sign up for the free IB Update – your weekly resource for local business news, analysis, voices, and the names you need to know. Click here.