Your data is more secure in your data center than in the cloud, right? Not so fast. Miki Sandorfi, Senior Vice President, Product Engineering at Sungard Availability Services (Sungard AS), joins IT Availability Now to address this common misconception and set the record straight. Other highlights:
How to determine the right data location
What security protocols you need in place, regardless of where data is stored
Why “on-premises vs. cloud” is more psychological than anything else
Brian Fawcett is a Senior Manager of Global Sales Engagement at Sungard AS. With over 15 years of experience in a range of industries, he specializes in forming enterprise-wide global talent and learning development programs. Brian has enriched corporate learning culture by matching organizational vision and core values to curricula, leading to application and impact.
In his role as Senior Vice President of Product Engineering at Sungard AS, Miki Sandorfi is responsible for advancing global product engineering and leading global program management. Drawing on his in-depth knowledge of IT systems (Oracle, SAP, VMware), as well as cloud-first technologies (OpenStack, AWS, Azure), he develops plans and solutions to aid customers’ digital transformations.
The full transcript of this episode is available below.
BRIAN FAWCETT (BF): Where is your data most secure: Your data center, or the cloud? Many people still say the data center. But is that really true? Let’s find out. I’m your host, Brain Fawcett, and this is IT Availability Now, the show that tells stories of business resilience from the people who keep the digital world available. Today we’re talking about data security. Specifically, how secure is data in the cloud versus an on-premises data center, and how you can determine the best data storage option for your business needs. I’m joined by Miki Sandorfi. He’s Senior Vice President, Product Engineering at Sungard Availability Services. Miki, welcome to the show.
MIKI SANDORFI (MS): Hey, Brian, it's great to be here.
BF: Thanks. So, Miki, when it comes to data security, what do you hear from companies? Do they favor their own data center or do they prefer the cloud?
MS: Well, certainly in the early days of the cloud, security was not nearly as robust as on-premises data centers. So there was a natural predilection to use on-premises data centers for sensitive data, and really the public cloud for more test and development data. But that's certainly not true anymore. Advances in cloud security have long since caught up and in most cases surpassed what most companies are doing in terms of security in their own data center. Security was always one of the big concerns of adopting public cloud and hosted private cloud services, and the technologies have come a long way. So it's simply not true anymore, that data is more secure in the data center than in any cloud.
BF: So there’s a lingering misconception, but is one more secure than the other, or does it depend on the circumstances?
MF: Well, like I said, security on the public cloud has always been a concern. But I would argue that the security practices and technologies of any cloud exceed what most data centers have on-premises. In fact, the belief that your data is more secure within the four walls of your data center is proven as a fallacy based on some major breaches that have occurred. So for example, in the financial services sectors, both Target and JP Morgan Chase have had significant breaches where millions of customers private information has been leaked into the public. In the healthcare space, Anthem has had hundreds of thousands of healthcare records stolen, and probably most concerning to me, Equifax, one of the companies that’s synonymous with your own credit and credit protection has had millions of records stolen. So thinking about this, your data is connected to the internet and whether that data is in your data center, or whether that data is in a public cloud, it's equally as accessible. So the physical location really is not what you have to be concerned about. It's more so the business processes and the technologies that you use to secure your information. Any major cloud provider is going to have those processes in place, and you can see how they have really upped their game over the last five to seven years. Whereas five to seven years ago, I would be concerned because they didn't have things like encryption or strong management access controls to the data assets. But today, that's simply not the case. And honestly, managing those systems on-premises with those sophisticated processes, probably is not as robust today as it exists in those public clouds or those hosted private clouds.
BF: So if there is some truth that public cloud security exceeds what companies have on-premises, why do so many companies want to keep sensitive data in their own data center?
MS: That's a great question, and honestly, I think that really comes back to people. We're all, in some ways, reluctant to change. So this is really more of a human problem, a psychology problem, than it is a technology problem. If you look at the encryption standards that are used in almost any cloud today, if you look at some of the technologies around key management and the processes both around data center, and also the virtual assets that are managed within those data centers in any cloud, in almost all cases that far exceeds what you would do in your own data center. So this is really mental agility. It's companies and their IT organizations thinking outside the box and really understanding that technologies have changed, and that what they really need to look at is a different set of tools and techniques to bring value to their businesses using the best of breed of security and technology.
BF: So psychology being a big part of it. What about compliance? Aren't some industries required to keep certain types of data on-premises?
MS: Yeah, that's a great question, Brian. So the reality is there are many, many regulations that are meant to make sure that there are adequate business policies and practices in place that are followed to ensure data is kept safe. Let's talk about a couple of those. The payment card industry (PCI), which you might have heard about, is really all about any credit processing type of environment has to have a certain set of criteria to be PCI certified. This is sensitive information - your credit card numbers, your personally identifiable information, addresses, and other things like that - of course it has to be well protected. PCI talks about encryption, access control, things that make sure that the information is kept and accessed securely, but it never talks about physical location of that information. Another example is the EU’s GDPR and these are mandates over personally identifiable information and making sure that again, they are secured, they are encrypted, and that customers have access to their own personally identifiable information and have information as to how and when their personally identifiable information was used. Very strict mandates, but again, they don't dictate how that is done and where that information is stored. And finally, another example is HIPAA. HIPAA is all about healthcare and healthcare information - how the information needs to be protected, how it has to be accessible to a patient - but again, it doesn't outline where that information is kept. The only regulations that I'm aware of that really talks about location of information really are part of the EU, and its sovereignty of information. So information that was created in Switzerland, for example, needs to be kept in Switzerland. But again, within the country of Switzerland, as an example, you have public cloud providers, you have hosted private cloud providers, and certainly those that run their own data centers. So location is really more of a company policy issue than any kind of industry standard issue.
BF: So if companies are determining their own guidelines, what do you recommend? Is there data you would never put in the cloud or data that should always be in the cloud?
MS: Yeah, another great question. I think this really comes back to not a security or reliability kind of conversation - I think we've covered that. It's really the right tool for the job. So what we really need to look at is to run our business, there are going to be different types of information that we want to process that bring value to our business and allow us to make smarter decisions about how to run our business effectively. So in the spirit of using the right tool for the job, applications that have lots of bursts and traffic - web hosting, analytics workloads, artificial intelligence and machine learning applications - that's where public cloud really shines. Those services, plus the data that link to those services, allow you to scale up and scale down, and you can do that in a very cost effective, seamless way in a public cloud. On the other hand, there are certain systems where you access information constantly. Things like some enterprise database solutions, customer service solutions or CRM, for example, where you are consistently and predictably accessing that information around the clock. Just from a financial perspective, a lot of those types of applications work better in a private cloud or a hosted private cloud. So it really isn't a security of your information matter anymore, it really comes back to the right tool for the job. And this is why, as an industry, we're all talking about hybrid. But no matter where you store your data, you must have the right security protocols and practices in place. So use strong encryption standards, and that should apply whether it's data in your data center or data that you're putting in a public cloud. Encrypt different types of data with different keys so it's simple to crypto shred information or to further protect the information in different business policies. Have rotating keys so you can refresh those keys and not be worried about those keys being stolen because you have a policy in place of rotating those keys. And that goes hand in glove with having a very strong key management system that helps you manage those keys effectively, and put policies in place that automatically rotate those keys for you. And lastly, this is a business process thing, but have strong access controls so the right people have information access at the right time. And it doesn't have to be all or nothing. These are hybrid strategies, and companies can make use of both on-premises and public cloud strategies.
BF: So all of this has been really informative, Miki, so let's just recap for our listeners. Number one, it's not the location data that matters, it's how well secured it is. Two, where you put your data and applications really depends on what they are and most companies will end up with a mix of some data in their data center and some in the cloud. And then finally, number three, no matter where your data is, you need to make sure you have the right business processes and controls in place.
MS: That's exactly right, Brian, you've captured it. And it's not an all or nothing, it really is a hybrid world. And companies should really look at using the best of what they do in their data center, as well as what they would do in a cloud service provider to allow their businesses to move faster and more efficiently.
BF: Miki Sandorfi is Senior Vice President, Product Engineering at Sungard AS. Miki, thanks for coming on. I appreciate your time.
MS: Thanks, Brian. It was great to be here.
BF: You can find the show notes for this episode at SungardAS.com/ITAvailabilityNow. Please subscribe to the show on your podcast platform of choice to get new episodes as soon as they’re available. IT Availability Now is a production of Sungard Availability Services. I’m your host, Brian Fawcett, and until next time, stay available.