In Friday’s (September 16,2011) edition of The Wall Street Journal, Mr. John Bussey wrote an OpEd article about small to mid-sized businesses (“SMB”), and how they are opting to leverage the advantages of cloud providers. The author reports that the SMB market has become more sophisticated when it comes to choosing which provider to outsource its data too. Cloud customers are evaluating providers based not only on price points, but also the security mechanisms within the providers infrastructure.
However, Mr. Bussey’s report is entirely focused on technological aspects of security within the Clouds, and very little attention is paid to people and processes. Mr. Bussey should use his platform to educate his SMB readers on other critical governance controls related to outsourcing data. A SMB looking to place its data within the Clouds should examine not only the internal controls it has in place, but also its external controls as they relate to their cloud provider. The article makes this point – “the cloud is no Fort Knox and can cut both ways on security. Multiple users of a given server can create multiple entry points for hackers.” Therefore, a typical control that a SMB might employ when it comes to evaluating a cloud provider is to ask if its files will be cohabited with another business’ files. This type of question/control is more than just asking – do you provide regular anti-virus updates?