At the 2015 RSA Conference, security evangelist Bruce Scheier challenged his audience: “Don’t ask if you should be in the cloud. Ask if the cloud is more secure [than] what you’re doing right now.”
Later during the conference, I posed that same question to Ben Rothke (@benrothke), Principal eGRC consultant with The Nettitude Group as to how you should determine which environment is more appropriate and secure for your data.
Rothke suggests you simply look at what you have. Do you have the people who can manage your network? Are they available 24/7? Can they manage encryption keys and the details that go along with encryption?
“If you don’t have someone you can turn to when the patches are breaking your system at 3am Wednesday after patch Tuesday, then it might be an imperative to look at the cloud,” said Rothke. “If you’re an organization that has all of that and you’re doing it well, then the imperative for the cloud may go away.”
“It’s very easy to get your data into the cloud, but the question is: how do you get it out?” asked Rothke, who highly recommends that you have an exit strategy with any cloud provider you choose. There may be a situation where the contract will end and you’ll need to know how to extract the data.
Ask where your cloud providers are storing their data. What’s behind their cloud? It could be with a major provider, or it could be with Vinny’s Cloud Services, warned Rothke.