Improving Data Security in the Cloud

Since my last article on cloud computing, interest with our clients has continued to grow, as have the offerings to small business with accounting solutions from New Zealand based Xero and project management from PBWorks as key examples. These join the longstanding solutions from longer established players such as Salesforce and companies hosting MS Exchange and MS CRM.

The improved resilience is now well understood, but the greatest concern from SMEs looking at cloud computing continues to be the perceived lack of security, or more accurately, privacy of their data. The British Computer Society continues to raise concerns but what most worried small businesses are forgetting, is that leading SAAS applications actually provide vastly better security than they could ever afford themselves internally. SAAS applications such as Salesforce and PBWorks have independently audited servers, ensuring proper separation of data between their clients as well as security appliances and reviews superior to those commonly in pace with SMEs.

Providing you choose your SAAS or Cloud Application provider carefully and ask the questions about security and audit processes in place, you should be able to IMPROVE the security of your data by moving it to the cloud.

Cloud Apps and SaaS: Business Continuity vs Cheap Connectivity

I often look into getting databases or applications hosted for clients. Resilience and reliability are generally the key drivers for this and for sure, a secure data centre is safer than a standard server in a typical office. I have looked at some further pros and cons in an earlier article.

As a result of its popularity, there is a trend for more use by small business of SaaS (Software as a Service) and hosted, or web based applications generally, including hosted Exchange and hosted CRM - the IoD is pushing both of these for its small business members.

But ... internet connections are not getting better, due to cost there is a major resistance to leased lines and in many cases ADSL is just not good enough - response times to fix problems at exchanges and questionable technical support services should often rule out ADSL as a connection that a business depends upon.

As soon as you move your critical data off site, the internet connection probably becomes mission critical, however, an ADSL line is probably far more vulnerable and may well take longer to get repaired than a server in your office.

Therefore, if you are a small business moving towards hosted applications but don't want to spend thousands every year on leased lines, you need to consider alternatives:

• 3G data via a mobile network - as well as 3G cards for PCs and laptops, there are some business firewalls that will take a 3G data card and provide a cost effective 'fall-back'.
• WiMax - a wireless based internet service provision for business. These are becoming available in major cities, provide really good SLAs and excellent resilience at about the same cost as SDSL.
• It's normally regarded as waste of time having two ADSL lines as they are likely to come from the same exchange, however, if you can get a second cable based DSL, this can make a good backup.
• A more dispersed workforce - encourage home working or at least provide the facility for staff to do so as part of a DR plan.

Other articles and information:
An article on Business Continuity and SaaS by John Gannon
Salesforce.com
Urban WiMax

First steps to IT Security (for non-IT professionals too)

I will cut right to the point: above all, have an IT Security Policy in place. Data loss and damage to reputation from ignorance rather than deliberate sabotage is easier to prevent and far more likely - let your staff or co-workers know what is and is not acceptable. Your biggest and most likely risks are loss or theft of data, including damage through viruses and worms - not hackers.

Assuming all the basics are in place (backup, anti-virus, etc.), having a policy in place which contains some basic procedures is pretty much the most important thing you can do. This will allow you to control the flow of data into and out of your organisation and better protect it.

Policies will have to be different for each organisation, but I want to give a few ideas you could consider:

Security of backup media: You may well be in the habit of taking tapes off-site, despite widely publicized security lapses in government and large organisations, a significant proportion of backup tapes are being ported around without even basic security. Check if data on the tapes is encrypted - many backup systems do not do this by default. If your backup tapes cannot be encrypted, consider whether they should be in a pocket or handbag on trains, buses etc.

Database Security: Can people take your data easily. Examine the risks, it is commonplace for data to be transferred straight out of networks via FTP, Google Documents or even a Hotmail account. These holes can be closed.

USB Drives: In a survey last month, almost a third of those questioned admitted that they had lost a USB key. Of these, only a really small proportion had encrypted the contents. Is it worthwhile telling staff not to use portable drives?

External email: Encouraging personal use of business email may sound risky, but weigh it up against the risks of staff using less protected email systems that could bypass security and scanning you already have in place and be an easy way for viruses to inadvertently get into your network.

Mobile devices: If you allow staff to collect, send and store business email on mobile devices (Blackberries, iPhones, etc.) the risk of data loss or theft is significant - Last weekend the story broke of the Blackberry purchased on ebay containing contact details of dozens of A-List celebrities - according to press reports it was in fact lost over 18 months ago - it could in fact have been remotely wiped in minutes if it was set up as part of a business system.

Passwords - give people ideas on how to create a secure password, tell people they shouldn't give them out to co-workers.

Business Continuity Planning - now the horse has bolted, let's shut the stable door

Many small businesses are only just beginning to consider Business Continuity Planning, perhaps more imaginable risks like the recent severe weather will get SMEs moving faster on this. Larger companies now have sophisticated plans in place, the agility of small companies should allow a rapid catch up; agility is a major tactical advantage of small business as well as being a valuable asset in BCM.

I won't begin to outline a "one size fits all" disaster recovery plan, but instead here are five, quick to implement, top tips for small businesses to prepare for the smaller (but more likely) emergencies:

Know how to divert phones to somebody's home
If you have a VoIP phone system, chances are you can have an IP handset set up at home quite easily and cheaply or have a softphone installed on a PC or laptop, make sure you know how to add it to the "hunt group" so it rings with incoming calls on your main line when you need it to. Even with an analogue BT line you can order BT's divert service so diversions to a different number can be set up almost instantly.

Plan to run Accounts systems from a laptop
The accounts system is often the source of important contact information for customers and suppliers. The data files are typically held on a server but a separate online backup which can quickly be restored to a laptop with the accounts software on, provides quick easy business continuity for lots of possible scenarios. Even sophisticated SQL finance systems can often be run from a typical laptop.

Outlook on your laptop
If you run an Exchange Server, consider having Outlook data "cached" to your laptop so that your calendar (and mail, contacts, etc.) are available, even if a connection to your server isn't.

Keeping good communication with our clients helped to keep things going better than anything over the last few days - I found all our clients and partners were very upbeat and accommodating of changes to meetings and appointments.

Staff contact details
Having a Google Spreadsheet with staff contact details on means information can be accessed anywhere by anyone with proper permissions - staff could even keep this up to date themselves. Again this provides an accessible resource that doesn't rely on the standard infrastructure.

Free training
Consider participating in a Project Argus event, these are free simulations run by the National Counter Terrorism Security Office - while geared to disaster recovery from a terrorist attack, there are great lessons for BCM generally.

Other resources
Hertfordshire council produce an easy “10 minute assessment” that give some good pointers, you can download the pdf here.