Is Cloud More Secure Than On-Premises Software?

Security is the most common objection people - or companies - raise against the adoption of a cloud based solution. There have certainly been enough stories reported about compromised passwords and other security breaches at cloud based services such as Dropbox or iCloud. Emotionally, it feels like having our data stored somewhere where we can’t see it is just not very secure.

But let’s face it, we’ve had our money stored somewhere where we can’t see it for decades. Yet we seem to be completely trusting of our banks. Nobody is arguing that our money would be more secure under our mattresses. Quite the contrary, we rush to put our money into the banks knowing full well that the bank doesn’t actually keep the money. At the end of the day, it is just an entry in a computer database somewhere...somewhere...in a cloud. Or private cloud to be more precise. In any case, we consider banks highly secure today.

And so, the latest argument about cloud security goes in the opposite direction. We are beginning to realize that the cloud companies have more at stake, and so they are likely investing into security more so than a typical company ever would or could afford for its on-premises software.

Let’s take an example. Thousands of companies across North America have been using ADP to process their payroll for many years. ADP’s payroll processing is a cloud based application - it has been long before we knew what the cloud was all about. ADP even offers to outsource the service, not just the app.  Yet as far as security goes, nobody is screaming that it is preposterous having all the highly confidential personal data stored at ADP. In fact, most people think that it is probably safer at ADP than it would be if processed by their own employer.

Indeed, cloud companies are increasingly considered capable of providing more security features than companies running on-premises software. Just yesterday, Dropbox raised the bar by rolling out a two-factor authentication. How many of your on-premises applications have that?

But then again, the cloud companies are a much bigger and more attractive target for the bad guys. The hackers might never pay attention to your company and your data center but they sure know about Google Apps, Dropbox, Amazon EC2, Microsoft Azure, and Apple iCloud. Hacking a big name cloud company is just a very lucrative target that many hackers see as a challenge they can’t resist.

So what gives? Is our data more secure on-premises or in the cloud? Well, I suppose there is no black-and-white answer out there today. There are many considerations that need to go into software selection - on-premises or in the cloud. Security is certainly one of them. And we can be sure that the security debate will remain a hot one for quite a while.

Records Management Is Easy, Disposal is Hard

Records management is one of the traditional disciplines in the vast field of enterprise content management. The purpose of records management is to satisfy the regulators and the court of law by ensuring that official records of transactions and activities are being preserved for future reference. The regulators typically prescribe a retention period - the length of time for which your organization needs to keep the record.

From the outset, records managers focus on making sure that all records are being retained, that they cannot be tampered with, that the retention period is being enforced, and that the records are properly classified so that they can be easily found when requested. The more sophisticated records management solutions also deal with advanced capabilities such as access control, storage optimization and legal holds to pause the retention clock in the case of a lawsuit.  

However, the most important part of records management is, in my opinion, the disposition. The idea of disposition is pretty straightforward - once the retention period expires, the best practice in records management is to dispose of the now no longer needed records. This is nothing shady in the ways of Enron but rather a perfectly legal and recommended practice. A reliable records disposition, though, is very hard.

Photo by bartmaquire Flickr

Indeed, filing records and locking them up for the prescribed number of years is not trivial but it is a solved problem today. Disposing of the record in the official records repository is also relatively easy. The problem is to dispose of all copies of the record. That’s right, records disposition is pointless unless you can ensure that the record has been completely expunged. Gone. Forever. If not, you can rest assured that a copy of the record will be found by investigators or by a subpoena and it can and will be used against you.

But, a reliable and secure disposition of records and all its copies is the tough part.

Chances are, that a copy your record exists in more than a dozen locations - on your co-workers’ desktops, on various servers, on SharePoint sites, and as an attachment in many email inboxes. Add all the iPads and other mobile devices to the mix and combine it with the popular cloud-based file sharing services such as Dropbox, Microsoft SkyDrive, Apple iCloud, Amazon Cloud Drive, or Google Drive and you have a very challenging scenario for records disposal. How can you ever be sure that you are expunging all copies of your records?

There are ways to solve this challenge. It starts with a common enterprise governance infrastructure that applies de-duplication across your email and all servers. That way, the record only exists in one instance while keeping the links to all the SharePoint sites and email inboxes. It also requires the ability to give employees a secure alternative to Dropbox that can be part of the same de-duplication infrastructure. In extreme cases where you know that your documents are regularly shared with external parties, the solution may need to involve rights management as well. While I usually try to stay away from blatantly promoting my employer’s products, we have some really good solutions for all of that.

Don’t get fooled into believing that you have solved your records management problems by applying retention rules to your documents. While that may satisfy the regulators, it won’t address your need to reduce unnecessary liability. Reliable records disposal is difficult but very important. Because you can be sure that if a copy of that smoking gun document exists on someone’s iPad or in Dropbox, it will be found when you least expect it.

NBC's Olympics of Denial

After two weeks of a sport bonanza, the London 2012 Olympics are over. I am a big fan of the Olympics and I enjoy (re)learning about all the exotic sports once every four years. As a cord-cutter, I must say I was quite worried about the Olympics this year. Will I be able to see the action? My heart skipped a beat many a time at the thought of watching the highlights on YouTube two weeks after.

But I didn’t need to worry. While I don’t have any cable or satellite TV at home, I do get one channel with an over-the-air antenna, CTV, which was the primary channel providing Canadian Olympic coverage. The coverage was provided live and there was also a daily 3 ½ hour summary in prime time. But the programming delivered via my little indoor antenna was actually just a fraction of the content available free of charge online at www.ctvolympics.ca. There, I could find live coverage of virtually all events going on and a recording of every competition, sometimes a dozen of online channels simultaneously. If that wasn’t enough, I was able to go to BBC’s site which provided live coverage and a recording of every London 2012 event.

That was simply awesome. Sure, I was still exposed to the annoying commercials, even online, but I was able to watch everything live, in a tape delay, or on-demand!

Contrast that with NBC. NBC infuriated TV viewers by airing the Olympic events only with a tape delay. In today’s day and age, it is impossible to stay away from the results and so the viewers had to watch the Olympic event while knowing the results. But what was even worse was the online coverage. NBC required viewers to sign on with their cable accounts. That eliminated all the cord-cutters like me, all international audiences, and anyone on vacation in the US like I was for a few days. Strange decision, actually, as online viewers can be a target audience for commercials just like the viewers watching on cable.

NBC online streaming required a cable account.

When exposed to criticism, NBC bragged about their viewership, which was breaking all records yet again. NBC’s interpretation was that the numbers have shown that the viewers loved the service NBC delivered. Well, I beg to differ. The growing numbers reflect the rising popularity of the Olympics, the ever greater media buzz and the higher notoriety of the top athletes such as Michael Phelps and Usain Bolt. The American viewers can’t get enough of the Olympics and NBC didn’t give them any choices. So they had to watch on NBC terms.

But the Olympics can be covered differently which has been shown by CTV and BBC. I realize that NBC paid $1.2 bln for the rights to broadcast the London 2012 Olympics coverage in the United States. That’s a huge sum of money and NBC has to be careful to make sure that they at least break even. But what I am seeing is a company in denial that is clinging on to its old ways of business while the world has moved on. Pretty soon, the US audiences will figure out alternate ways of watching their favorite programming and right now, it looks like NBC may not be a part of the picture. Just go to the BBC web site, folks.

Who needs NBC?

The End of Partner Ecosystems

For three decades, the formula for success in software was pretty well understood. Not easy to execute but clear. It was called the ecosystem. You need a channel of resellers and perhaps even distributors around the world to sell your software. You need implementation partners - small, local boutique firms as well as professional services practices at the large system integrators. You need ISVs - partners who build their solutions in a way that complements yours. You need training delivered by your training partners and perhaps also partners to administer the tests and certifications. And you may also need some influencers in your camp - journalists, bloggers, analysts, or marketing agencies. A magazine named after your software platform will do just fine...

If you have a magazine, you have an ecosystem alright!

Microsoft hasn’t invented this formula - that honor goes probably to Novell all the way to the late 80s - but Microsoft perfected it. For decades, Microsoft’s authorized resellers, authorized distributors, certified partners, certified professionals, MVPs, authorized testing centers, ISVs, system integrators, consultants, OEMs and other types of partners were helping Microsoft to attain its dominance. An entire ecosystem of partners participated in the massive software economy created by Microsoft and other vendors. These partners were necessary to scale the business by providing local point of sale, planning and deployment services, training, and complementary software and hardware. The vendors such as Microsoft, Oracle, HP, or IBM provided the platforms that enabled their respective ecosystems. It was a symbiotic relationship - the platform vendors needed the partners and the partners depended on the platform vendor.

Symbiotic relationships can work

Fast forward to 2012 - when a new type of information technology economy is being shaped. The platforms are running in the cloud and the platform vendors are striving to provide the most integrated set of services - from infrastructure software to applications, from servers to mobile devices. Apple and Google are leading the way and vendors such as Microsoft and Oracle are rushing to catch up.  They are building their own cloud offerings and also the hardware - tablets and servers.

The big difference is that the new economy does not require an ecosystem of partners. As the software is sold and delivered via the cloud, it no longer requires a channel of resellers, consultants, and system integrators to implement the solutions. The software is increasingly simple which reduces training needs and the only hardware required is the hardware that runs the cloud. And even that hardware is increasingly custom made - just think about the custom server blades that comprise the famous Google data centers!

Sure, there will probably always be the independent software vendors (ISVs) with apps that leverage the platforms but most of them will be under constant pressure of being squeezed out. As for other types of partners - they are no longer required. The consultants might find work providing advice on the best use of the software and system integrators may find opportunities around migration projects or projects related to hybrid environments. But in the  long term, they are not wanted anymore. Just think about it - what partners do you need when you switch to Gmail? Or to Office 365?

It’s a new world now and the partner ecosystems might no longer have a place in it. Or do they?