Square-Off: Is Your Data More Secure in a Data Center or in the Cloud?
It was the big system break-ins that changed the corporate approach to data security, observes Ashley Vukovits, the CFO of Interactive Intelligence Group and one of the debaters in CFO’s latest edition of Square-Off. Not that long ago, she writes, “most people would have answered the question of whether data is more secure in a company's data center or in a vendor’s cloud storage system with a resounding answer in favor of the organized data center” housed within the company itse ..
You are out of capacity. You’ve got data that you don’t have a home for. So you have to decide whether to build out additional capacity within your existing data center (if you have one), in a colocation data center, or in the cloud.
Let’s consider each in turn.
Option 1: Build new capacity in your existing data center.
Building out additional capacity to keep your data within your existing on-premises data center is a relatively simple exercise from a security standpoint. You already have an enterprise-wide security stack that you’re (presumably) comfortable with. Providing that you have the space and power capacity in your data center, adding additional IT capacity is a matter of ordering additional gear of the same specifications you use across your locations. Then you set up the added capacity with the same security architecture as the rest of your gear, and then flipping the switch.
Option 2: Get new capacity in a colocation data center.
From a security standpoint, the relative ease of moving to a colocation data center depends on the provider. At one extreme are the colocation providers that deliver the physical space, power, cooling, and the piping you can use to connect your servers to your own network carriers. You’re responsible for securing the data coming into, out of, and residing within your servers in the data center, however.
Other colocation providers go to the opposite extreme – in order to deliver security, they tightly restrict how you must set up your security architecture. You have to figure out how to fit your security architecture into the provider’s facility. Often, that means changing your architecture, which brings up a whole range of new security risks and costs associated with new security assessments.
Then there’s the middle ground: providers that allow you to extend your enterprise architecture as is into the data center and at the same time provide a secured private conduit to connect your servers to the carrier’s network. That conduit runs on the lower network layer, below network gear and security devices, which you maintain full control of.
Option 3: Move your data to the cloud.
The third option removes all the costs and risks associated with extending your security infrastructure into a new physical environment. You sign up with a cloud provider and choose your security policy: completely open with no restrictions; the cloud provider’s standard security; or completely locked. Let’s assume you are more risk-averse than less and go with the third option. You “unlock” just what’s required for your applications to function.
But that can be difficult. You have to understand the capability of the cloud provider’s stack end to end to discern what you have to open in order to enable the full functionality of the server. Here, one of the chief cloud selling points – staying up to date with the latest technology – can also pose a real challenge. When you deploy a legacy application in the cloud often it requires rework and then extensive testing on the cloud platform to ensure your application maintains the functionality users expect. Ensuring that you’ve replicated your security architecture in the cloud – development, testing, recalibration – is a time-consuming and often costly process. And it’s one that is rarely accounted for in cloud cost models.
But the cloud can offer the best of all worlds if you’re not a legacy organization with a lot invested in legacy architectures and legacy applications or if you’re only looking for a place to run development and testing and don’t require a particular security architecture. Then the cloud can offer the ability to construct best-in-class security solutions, an operating expense cost model, and assurance of the latest and greatest technology.
So which option is best? There’s no right answer to that question. It depends on your tolerance for the different types of risks associated with each option, on what existing security architectures you’re already invested in, and what applications you’re looking at. The point is that there are risks associated with every option, and the only thing that applies to everyone, all the time, is the importance of understanding those risks and making a decision with eyes wide open.
Rajendran Avadaiappan is CIO at Aligned Data Centers, a colocation provider.