Judging from the messaging, reviews and conversations that came out of the SharePoint conference earlier this month, the word from Las Vegas could be summed up as, "It's all about the cloud stupid!" 

With Office 365 growth surpassing SharePoint's, Yammer the new focus of social and the newest buzzwords, Office Graph and Oslo, the drum beat you hear is the continued push to the cloud.

But the messages that the social collaboration strategy will now be based on Yammer and that there will (at some point) be strategies to migrate on premises SharePoint customers using the out of the box social functionality over to Yammer are not very reassuring.

Are Vendors Doing Enough Around Cloud Security?

Although I use Microsoft as an example, I'm not picking on them -- this applies across product segment and across vendors -- and on premises systems also often have compliance issues in highly regulated industries. But in the rush to both public and private clouds, are the vendors doing enough to support customers in financial services, health care, pharma, life sciences, etc.?

While a lot of the marketing focuses on secure log in, integration with on premises identity management systems, and the standard use of TLS / SSL for security data as it passes “over the wire,” generally speaking there is a lot less of a focus on securing the content once it is in the cloud, for example by encrypting data at rest. If the vendor can do this, the next question to ask is where are the encryption keys managed and who has access to them? Do the vendor's system administrators have access to the keys for “maintenance,” diagnostic and troubleshooting purposes? Or does your own staff hold the keys on your own internal systems -- and does that necessarily make them safer?

I make this last point because while you may feel safer setting up and running your own firewalls, intrusion detection systems and more, your on premises solutions may not be all that more secure than that of any particular cloud vendor. No one said that the worlds various regulatory bodies have to keep up with the latest in technology. They tend to be conservative due to the very nature of their existence, and hand down regulations and direction to their constituents that are also conservative, restrictive and --dare I say it -- not always very tech savvy.

Cloud Based Collaboration (With High Level Security Please)

So back to our Microsoft example. In a regulated industry you may need multiple third party vendors to ensure that using offerings like Office 365, Yammer, Office Graph and Oslo actually meet the requirements placed on you.

There may be ways to roll these out to only certain workers doing specific tasks, and therefore circumvent regulatory worries. As we discussed last month, team collaboration does not always have to cross enterprise wide boundaries and may exist quite legitimately within a silo. However if you're rolling out a single tool to gain efficiencies of scale in the infrastructure and maintenance side of things, it can be quite difficult to corral the use cases. You may decide you just have to treat the entire infrastructure and all your users as “regulated.” To stick with our Yammer example, here are some sample use cases:

  • Marketing people discussing potential for new campaigns -- OK with standard product, nothing extra needed
  • Brokers discussing high net value customers -- requires compliance rules to be followed and probably requires at least “obfuscation” of data on the cloud servers
  • CEO / COO and senior executives discussing potential merger and acquisition activities -- compliance rules and strong encryption of data at rest

So if the base product suite -- be it on premises SharePoint 2013 or cloud based Yammer -- does not meet all the requirements, what can you do? I suppose you could look to a specialist vendor or your own development teams to build a fully secure and compliant custom system, or perhaps more realistically you could look to third party vendors to help meet the requirements:

  • Actiance -- an example of a compliance specialist that provides products which meet regulatory compliance needs such as real time monitoring, archiving, etc. 
  • CipherCloud -- an example of an encryption gateway product which encrypts your data with keys you maintain and manage before the data leaves your network to the cloud 

Cloud Solutions: Quicker, Easier, Cheaper ... Not!

Well maybe they are, unless you're in a regulated industry. Adding the license costs, infrastructure costs, integration, personnel to manage them, etc. adds considerable complexity and cost to any particular solution. Suddenly the cloud option doesn't look any quicker or easier than an on premises build and definitely isn't looking any cheaper.

But considering the recent revelations and scandals about the NSA in the US and GCHQ in the UK (and even CSIS here in Canada), is it really just heavily regulated industries that are looking for high levels of security and data privacy functionality? Should vendors be building this functionality into the base level product, or is it OK to say “you're going to have to spend extra money with our preferred partner” to meet your requirements?

From a different perspective, let's return to our Microsoft based opening example: How exactly will OfficeGraph work if everything in Office365 is encrypted at rest? Will the cloud data centers need an increase in horse power so that they can de-crypt on the fly in order to both crawl for search purposes and to allow the “connections” to be mapped? Or will we rely on unencrypted metadata being used to build out these new features and functions?

My conclusion is pretty much the same as it always is: don’t believe the hype and don’t fall for the rose tinted vendor marketing view of the world. If you're in a regulated industry, be prepared to pay more than everyone else for a performant solution.

If you think I am way off the mark, or if you have an example that you would like to share, please contribute in the comments section below.