If you want data security done right, should you do it yourself?
The question of cloud security and data residency is frequently debated around the world, especially in Canada and European Union countries, where legal compliance laws around data can be especially strict.
In fact, as a first question put to cloud providers, Americans are most likely to ask about network latency, whereas Europeans tend to ask about security and data residency, according to Stefan Ried, an analyst at Forrester Research Inc.
In Canada, we’re probably somewhere in between.
But where legal requirements around data residency and privacy don’t exist or aren’t as stringent, even some of the largest and most security conscious companies are giving cloud providers the keys to their data.
HR and payroll services are some of the business functions that are being increasingly contracted out. A desire to reduce application sprawl and focus on the core business is pushing them out of on-premise networks and into more flexible and, according to providers, more secure cloud environments.
Automatic Data Processing, Inc. is one of the largest vendors of this kind, serving some of the largest financial institutions in Canada. Naturally, these are also the clients that require the tightest security.
Payroll isn’t necessarily subject to the same rigorous compliance standards as customers’ personal information, but the data is sensitive enough that these organizations need to have absolute confidence in their providers.
“It’s not a regulatory requirement, but it’s an extension of the trust that we have with those partners,” says David McIninch, vice-president of marketing at ES Canada (part of ADP).
ADP offers a multi-tenant, managed public cloud model that has extensive security services wrapped around it, adds Michael Capone, CIO at ADP. In fact, an entire branch of the company is devoted to security. Its chief security offer came from EMC Corp., which owns RSA, a major security firm.
He gets the question from clients all the time: “Can I trust putting my data in the cloud? I’m nervous about that.”
But the answer is simple, he says. Many clients don’t have the infrastructure or expertise to handle security as well as a cloud provider whose reputation is on the line. “Do you really think that you could devote as much time and thinking and energy into security and infrastructure as ADP can? The answer is probably ‘no.’”
ADP operates data centres in the U.S. and Canada where its security group runs everything from “soup to nuts,” he says, “the physical security [around data centres]… redundancy and power, and things that keep the lights on in the data centres. But then, drilling in: all of the network security, encrypting data at rest.”
Graham Thompson, CTO ofIntrisec Technologies, a member of the Cloud Security Alliance and expert who offers courses on cloud security, said that while a big financial instution does have the money and scale to “duplicate or have the same level of security that ADP” provides, there’s no question that many smaller businesses can’t come close.
For larger enterprises that want to move applications to the cloud to focus more on their core business, the issue is better thought of as trust rather than security, he says. A company like the Royal Bank of Canada, for example, would look at reputation, finances and company history carefully before choosing a provider, he explains: “do these guys operate the same kind of enterprise level as we do?”
“They’re really establishing trust more than they are really scrutinizing the security of the provider in a lot of cases,” says Thompson.