The Security Risks of Cloud Computing

Many companies evaluating CRM software, or any enterprise application, have concerns about putting their customer list, sales data and other company assets into somebody else's hands.

The elephant in the room can feel more like a raging rogue bull that can destroy a company in a single instance, and its name is Security Breach. Everyone shudders at the thought of a security compromise. And many are concerned that Software as a Service (SaaS) is a virtual red flag that entices that bull elephant to attack. The problem with this fear is that it is overly broad and requires deeper examination to separate fact from fiction. When it's time to procure, upgrade or change your CRM software, do your CRM planning, and consider the facts.

Fact #1: Cloud Providers Offer Information Security Seldom Matched by Private Enterprises

As a matter of normal practice, cloud CRM providers offer impressive security postures, including:

  • A security infrastructure which includes expert staff, a comprehensive and living information security plan, multiple layers of security defense, trained and verified processes, periodic and random vulnerability assessment audits, controlled penetration tests, redundant hot sites and a verified and tested Business Continuity (BC) and Disaster Recovery Plan (DRP)
  • Independent annual information security certifications and attestations, from authorities such as the United States Federal Government (NIST C&A) or international standards organization (ISO 27001)
  • Independently certified multiple layer and Deep Packet Inspection (DPI) firewalls managed 24 by 7 by security experts
  • Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and Incident Response Systems managed 24 by 7 by security experts
  • Independently issued digital certificates, secured SSL encrypted traffic and encrypted data at rest
  • Multiple commercial anti-virus products redundantly installed at multiple network layers, including the Gateway, the application layer and web server farms
  • Physical security infrastructures with measures such as mantrap staging areas, multiple factor biometric scanning and card combination access authorization, dual-identification entry systems, 24 hour security guard monitoring, facility-wide indoor and outdoor closed-circuit TV, individually secured cabinets, integrated alarm systems and 24 by 7 environmental monitoring

"Do you really have the right measures in place for security threats and business continuity issues?" asks Rob Käll, president of Bookt, a web services provider to the global vacation rental and hotel industry. "For example, what happens if someone hacks your servers?"

Indeed, what happens upon a natural disaster such as a tornado, flood or earthquake – or an accident such as a fire – or if a hacker gains access to your network or acquires credentials through a stolen thumb drive, a forgotten smartphone or an unguarded laptop? Do your internal staff, tools and processes offer the same level of preparedness and response as the commercial cloud providers?

Also consider that on top of all those risks, the biggest risk of security compromise comes from your own people. Most information security studies consistently show employees as the number one threat to your data. In fact, security breaches are four times more likely to stem from employees than external hackers. Does storing your data on-site increase or decrease the risk of theft by employees?

Is confidential or sensitive data any safer on your own servers than in the cloud? Probably not. Data stored in the cloud is subject to comparable threats as if it were stored on the server in your own data center, down the street, in the next city or elsewhere. The difference is that cloud providers assume much greater preparedness for such events.

If security concerns are the only thing holding you back from adopting a cloud solution, compare your current risk exposure to that if you go with a cloud provider. You will most likely be gaining much improved security by enlisting the services of cloud providers.

It's not that individual companies cannot make the efforts and investments to implement state of the art information security infrastructures, its just that security is not their core competency and the investment probably wouldn't make business sense.

"Cloud-computing providers can solve these security and business continuity problems on a much greater scale and the savings are passed to the consumers of the services," says Käll. "They are also likely to have more seasoned staff and every Software as a Service (SaaS) provider knows that their reputation lives and dies with their security and uptime performance."

Fact #2: WWW is not the Wild Wild West

To the uninformed, the Internet is a dangerous place that threatens your company's security. However, to the informed, business and IT leaders recognize risk, and the need to mitigate that risk, because they cannot survive or thrive without the Web.

Even non-cloud companies spend plenty of time connected to the web – for email, making remote presentations, supporting remote staff, transferring files, downloading information and much more. When you purchase on-premise software, you likely download it from the Web and not actually install it from a CD, DVD or anything that is plugged into your servers. And, you'll probably get your updates and patches off the Web. So there you are, back on the 'Net again.

The only way to avoid most threats coming from the Internet is to not connect to the Web at all. But the highest threat of compromise from internal staff continues to exist, and more importantly, abstinence will kill your company. Companies would be unable to capitalize on business growth opportunities without online interaction.

Fact #3: Other Cloud Concerns Remain

Ironically, security is generally the first and most frequently cited cloud concern yet adopting cloud solutions can dramatically improve security preparedness, incident response and business continuity. However, while not receiving the same initial attention, other concerns to cloud adoption – such as total cost of ownership, cloud contracts, cloud tools and portability – remain relevant.

Due to the subscription pricing model there's no argument that up-front SaaS costs are dramatically cheaper than there on-premise counterparts. Also, with quick provisioning of new systems and no hardware or platform software (i.e., operating systems, relational databases, security programs, management tools, etc.) to install, SaaS CRM software implementations go faster and cost less.

And, with less hardware to maintain and less need for application system administrators, database administrators and overall support, IT labor costs are clearly reduced. However, subscription pricing is recurring billing so whether cloud systems deliver reduced total cost of ownership (TCO) over the life of the application compared to their licensed counterparts becomes a TCO calculation that will vary for each company.

Contracts for cloud solutions lack standardization and if not understood by buyers may inherit unforeseen risk. Some cloud CRM vendors offer Service Level Agreements (SLAs), some do not. Some cloud CRM vendors such as offer SLAs to some customers but not other customers. Some SLAs contain financially-backed credits or penalties for SLA non-conformance, while others do not. Some SLAs exclude "scheduled maintenance" from uptime guarantees while others do not.

Most cloud vendors charge varying storage rates beyond their allotted per user storage amount and most vendors include automatic renewals, however, terms and conditions of renewals vary. Several SaaS vendors include a "coterminous" provision when adding users during the contract term, meaning that any users added during the contract period retroactively result in increased subscription fees for the original users as well. Some SaaS CRM vendors include language reinforcing the customers ability to retrieve their data timely; while others do not. The lack of continuity among cloud solutions imposes increased diligence upon cloud buyers and their legal advisors.

Despite powerful Platform as a Service (PaaS) and custom development tools from SaaS providers, many IT shops lack cloud tools to help them support their infrastructures, policies and user communities. Simple tools such as real-time monitoring of cloud services, may be unavailable, blocked by cloud providers or contractually prohibited in cloud vendor contracts.

This prevents IT shops from obtaining performance metrics and impairs their ability to provide real-time support to their user communities. Other tools such as integrated identity management solutions are in short supply. Companies that subscribe to multiple SaaS products without a common easy to install and easy to use single sign on (SSO) or other identity management method will force users to manage multiple logon ID's and passwords.

Cloud portability is becoming a casualty of proprietary PaaS tools. For example, companies can use the Salesforce or Lightening development environments to build custom applications and add-on solutions, however, such solutions only work on the Salesforce cloud. Similarly, don't expect custom solutions built with NetSuite's NS-BOS platform or SAP's NetWeaver platform to work outside of their own clouds.

According to Daryl Plummer, Gartner VP and Fellow, many of the remaining cloud concerns will be addressed over the next few years. He advises that cloud providers will understand that customers need audit tools for cloud services and contractual guarantees about the vendors' liability should their systems fail. Plummer also predicts "cloud brokerages" or intermediaries will emerge to help companies get what they want from the cloud.

The Cloud is Coming, Whether You're Ready or Not

On top of everything else, recognize the cloud will grow despite any efforts to keep it at a distance.

"While the on-premise model is the use of internal services with a few forays into the cloud, in the future it will certainly be the opposite," says Ed Lyons, Chief Engineer at Keane. "Business services will increasingly be in the cloud, and there will be rare exceptions when something must be brought 'in-house.'"

He also shares that if you are choosing a CRM system or any other enterprise software application, "You don't have to imagine this model, startups with millions of users already operate this way."

There are far more clouds developing on the horizon - private clouds, public clouds and hybrid. "As companies debate on-premise versus online systems, there will be an increased focus on private clouds, and companies will see significant changes in the cost structure and accounting treatment within their organizations," says Amit Sen, Director at Patni Americas' Business Consulting Services group.

Next time your CRM selection team is evaluating the security risks of cloud computing, recognize the real question isn't whether the company moves to the cloud, but when and under what conditions does the cloud make sense for your business.