Why Are We So Scared of Cloud Security?

Richard Cooper of Charity Technology Trust (TechSoup's partner organisation in the United Kingdom) suggests that not-for-profits be realistic when weighing the risks of cloud computing.

Author: Richard Cooper, Charity Technology Trust

During the month of October, join TechSoup.org and the TechSoup Global Network for our Cloud Computing Worldwide campaign. Check back throughout the month for blog posts, webinars, and dispatches from around the world on cloud computing for not-for-profits, NGOs, and public libraries.

Richard Cooper is the development manager at Charity Technology Trust, an organisation that provides IT services to charities in the United Kingdom. CTT is a member of the TechSoup Global Network, providing donated hardware and software to charities in England, Wales, Scotland, and Northern Ireland.

In this guest blog post, Richard argues that cloud-based services aren't inherently less secure than in-house servers, and may be much more secure. This post originally appeared on Richard's blog.

I hear a lot people's reservations about cloud computing. One of the biggest is security. No doubt Dropbox's recent security lapse will be rolled out at every seminar and conference for the next three years to warn small children — sorry, prospective users of cloud services — of the cloud's inherent insecurity.

But the more pertinent question is this: is the security of a cloud service weaker or stronger than you currently have? I would wager that for most not-for-profits, it is emphatically stronger. I'm as big an advocate of a good firewall and a reputable anti-virus/spam package on all your systems as the next person. But let's face it: most of the time, what we're protecting against is the casual opportunist hacker who is targeting literally millions of potential victims. It's like putting a burglar alarm on your house — it just makes you a bit more secure than the house next door that doesn't have one when the opportunist thief walks by. A determined, competent hacker, targeting your organisation specifically, will almost certainly get in; just like a determined, competent burglar will break into your house if they decide yours is the one. When the "celebrity" hacker rings like Anonymous and Luzlsec take on challenges like the CIA (and allegedly succeed), what chance do we really stand?

Cloud providers spend a lot more money on their security: as Dropbox is currently finding out, their reputation depends on it. What they have in place is far superior to most not-for-profits. Yes, there will be high-profile mistakes, but tell me there haven't been virus infestations and data breaches within hundreds, if not thousands of small not-for-profits. Your most vulnerable point is the PC in the office with the "Save Password" options ticked to yes, the password written on the underside of the keyboard, the USB stick left on a table at a conference, or that oh-too-tempting website/email. These vulnerabilities will continue with the cloud and any other technology you use. Cloud providers' anti-hacking, anti-virus defenses will remain a lot stronger than anything you do in-house because it is one of the biggest economies of scale they bring to the table. Their commercial lives depend on it.

Also posted here.