Security is, of course, important and Cloud services raise some important issues related to data security.
However, a lot of companies have an irrational response to cloud services and make knee-jerk policy decisions about their use based on ignorance.
The fact is cloud services can actually improve an organisation’s security significantly.
The problem is IT security isn’t just about systems and technical policies. Too many places have broken IT policies which revolve entirely around locking-down IT systems and prohibiting certain activities. In several cases I have seen, if staff actually followed the IT security policies to the letter, they would not be able to do their jobs.
It’s no surprise that, in many organisations, IT is known as “The Prevention of Work Dept.”.
IT security is as much, if not more, about human behaviour and social interaction as it is about firewalls and password policies. If, for instance, you set draconian password policies then however much you tell people not to write their passwords down they will write them down.
Equally, if your staff require the ability to exchange information with clients and partners to do their job and you don’t provide them with a way to do that, they will bypass your systems and ignore your security policies.
After all, the chances of being caught not doing your job are far higher than the chances of being caught palming a USB key to a business partner; at one point on a project I worked on a of our team met up with a supplier in a random car park one evening to exchange a USB key of data that was vital to the project but which we could not legitimately exchange due to the company’s IT security policies.
Cloud services can improve your security because they encourage and incentivise secure practices. Instead of punishing your users for doing their job, reward them with tools which enable them to do that job securely, easily, and with controls and auditing.
Cloud services can be a great way to do this. Obviously there are security and data protection concerns, but instead of being irrational about those, analyse them sensibly. Look at the credentials of the Cloud provider.
After all, there are cloud services that are used by organisations whose IT security needs are probably far greater than yours, such as Governments and Government Agencies.