Think Twice about Where to Store the Crown Jewels

By Charles Cooper 1

Where is it safest to store your company’s most important data–in the cloud or locked up where you can physically guard it? This information includes business-critical items such as source code, intellectual property and customer information–in other words, the lifeblood of any business. The data is so important that a breach can easily result in catastrophe.

When hackers breached Target’s payment system in late 2013, they were able to remain unnoticed for about two months as they rummaged through credit card information belonging to as many as 110 million of the retailer’s customers. Target avoided a big fine from regulators, but still had to pay out tens of million of dollars to affected credit card issuers and customers whose information was stolen. What’s more, the company’s cybersecurity reputation took a hit as details of the hack emerged in the months following the initial announcement.

An even worse fate was in store for source code hosting provider CodeSpaces, after attackers grabbed control of the company’s Amazon Web Services infrastructure in 2014. By the time CodeSpaces got most of its access back, the attackers had destroyed much of its data, backups, machine configurations and offsite backups. In other words, Code Spaces no longer had a service to offer customers and went out of business.

Scary headlines grab media attention, but don’t assume that means the company’s crown jewels must always get stored on premises. That may have been true a few years ago, when IT could put a sturdy wall around the corporate data center. That’s hardly the case anymore in the hybrid cloud environment, where a mix of data now resides in corporate data centers, private clouds and public clouds.

A hybrid cloud environment means there are always going to be connections between public clouds and the local data center. Inattention to proper planning and controls–which can and does easily happen, perhaps more often than some would like to admit–means that attackers can still potentially tunnel into that data center environment and get their hands on this coveted data.

This comes down to making a judgment about risk. To be sure, some will resist agreeing to move the crown jewels to someplace where they can’t physically guard them. Also, certain categories of firms may be bound by regulatory constraints that prohibit data from being moved physically to another geographic region.

But, for most organizations, regulatory matters shouldn’t decide the issue. Rather, it ought to be about what makes the best sense. Since a company’s on-premises file sharing includes at least some shared hybrid infrastructure, the infrastructure isn’t necessarily going to be inherently more secure than storing data on a public cloud. Besides, public cloud providers invest heavily in the cybersecurity technology as well as in hiring skilled personnel to bolster the security-worthiness of their hosting infrastructure.

Organizations opting for a mixed cloud approach can also take measures to defend their own hybrid infrastructures. The approach should include a multi-layered protection strategy. This means protecting data through encryption and rigorous usage policies. It also depends on enforcing up-to-date policy management and controls that govern access.

As we’ve seen elsewhere, this may result in certain up-front expenses. But, over the long term, clients still incur lower costs by using a mixed cloud infrastructure. They reap the extra security advantages knowing that their public cloud provider is working 24/7 to seal off their infrastructure from intruders.

Still, you’re going to find some IT departments that resist letting the organization’s crown jewels out of their sight. But while IT may want to retain its historical prerogative–and status–as an independent corporate function, it is just another department that needs to be on the same page with the organization’s larger corporate goals in the era of the cloud.

This content is underwritten by VMware — and is editorially independent. It is produced in accordance with conventional standards of business journalism.

Charles Cooper is an award-winning freelance author who writes about business and technology. During his 30-plus year career, he has worked as an executive editor at several leading tech publications including CNET, ZDNet, PC Week and Computer Shopper.