Security Questions To Ask Your Cloud ProviderNeoSpire's director of security, Sean Bruton, discusses the realities of cloud security and the key questions to ask when assessing a hosted or cloud service provider's claims.
All this security sounds like it can be a lot of work to provide. How big does a company have to be to internally house data, cost effectively?
Bruton: Every company will have a different level of risk they're willing to accept. Consider a small company doing credit cards has to meet payment card industry data security standard (PCI DSS) requirements, versus some other business where data loss isn't as big a concern. Every company, big or small, has to look at their regulatory obligations with regard to security.
It takes seven to eight people to run a single 24-hour shift. For a single web application, the costs would be astronomic. Even if you're willing to go to one shift, or on-call... you're still talking about $100,000 a year just in salary.
A dedicated or cloud provider can do this work for about 10% of that, and without the capital expenditures or other commitments on your part. So unless you already have a staff for round-the-clock offsite BC [business continuity], DR [disaster recovery], and to meet your various regulatory requirements, it's not cost effective.
InformationWeek SMB: So until you're big enough to have all those teams in place, you'll never see a cost savings? Especially if you add in the learning curve, the costs of keeping up to date with new technologies, new regulations, and new threats.
Bruton: No, for a third party, that's the business they are in. In terms of operations, you can treat it like a "black box," and not worry about the technology.
But using a third party means there's a disastrous impact to security. Since you don't know what your provider is doing, you can't tell your auditors.
2 of 4