This post was originally posted in Wired Innovation Insights.
In September 2013, my company AdeptCloud was acquired by Hightail and I moved from providing a private cloud service to secure file sharing in the public cloud. The switch has been fascinating and I’ve learned three key attributes of public cloud security that will be useful to any business considering which provider to trust with its valuable data.
First, here’s a quick explanation of the difference between the private and public clouds. A private cloud provider like AdeptCloud provides secure access and sharing services to businesses that have the infrastructure and technology in place to protect their information on their own servers. File sharing services like Hightail store data on secure servers, so companies can rely on its expertise and technology instead of building and maintaining their own business-grade security infrastructure.
Private and public clouds may differ in term of technical security needs, but the best should share the same essential values. Exploring these key factors should be top of your list if you need to evaluate the security of a potential cloud provider.
1. Attitude
In 2011, the world’s largest file sharing service Dropbox had a major security scare when a bug in their code allowed users to log into their accounts without requiring a password. Which of course meant that anyone with your email address could also access your files.
Mistakes and oversights can happen to any business, but this episode made me question Dropbox’s overall attitude toward security. How high a priority is it for them? After all, Dropbox is primarily aimed at consumers, who don’t tend to place too much importance on security.
Providing great security involves many mundane and repetitive tasks—the digital equivalent of a security guard doing the rounds of a building at night. If the guard is too eager to get back to his crossword puzzle he might miss an open window. Your unbreakable system is suddenly wide open, just as human error can allow a piece of bad code to be pushed.
When considering a potential cloud provider, make sure they are focused on your needs. Is it aimed at professionals or consumers? When they talk about security, do they revel in details and enthuse about processes? That’s a sign that the business has a culture that prioritizes the data of your security.
Since being founded as YouSendIt in 2004, Hightail has had security built into its technology and culture. We’re not just a consumer product with enterprise-grade features bolted on.
2. Awareness
Great security is less about displaying strength and more about recognizing your vulnerabilities. You have to constantly seek out your weaknesses and deal with them honestly.
This is harder to assess in a potential provider because they’re not going to openly discuss potential weaknesses with you. But you can ask about past problems and how they were discovered and fixed. If they tend to uncover issues through systematic testing and discovery, they probably have a healthy awareness of their own vulnerabilities. Problems repeatedly coming out of the blue are a big red flag.
One of our current concerns regards the potential for internal leaks, as made infamous by the WikiLeaks and Edward Snowden revelations. Though Hightail’s encryption infrastructure prevents third parties from accessing our servers and your confidential files, the possibility of an employee with authorized access choosing to leak material remains.
We’re currently introducing advanced security features that protect files behind multiple, isolated keys, making it far more difficult for an internal agent to access and disseminate files. We’re also exploring ways for our customers’ account administrators to spot abnormal user behavior in order to identify potential leaks on their side.
3. Balance
There’s a droll truism in the security industry that the most secure computer is one that’s not connected to anything. The joke being that it’s not much use for actually working with anyone else.
But you can extend the logic (if not the humor) the other way. If a connected system is so tangled with encryption keys, firewalls, passwords and other security blockers it becomes equally useless. Frustrated users will turn to other, usually unauthorized, solutions, making your information more vulnerable than ever.
A secure service must include an intuitive interface or people simply won’t use it. So take the product for a test drive and get your team using it in full-on security mode. Was it a good experience or did people find it painful? A perfect mix of security and usability will ensure everyone uses the service, making your data more secure.
What I love about Hightail is that users can easily choose extra sharing controls, like password protection, to protect a sensitive file. In addition, a company’s account administrator can decide which of the control options are mandatory or set a feature as the default option but allow the user to turn it off if necessary. This is a perfect example of providing tight controls that are in balance with the overall user experience.
This kind of balance along with an attitude that prioritizes security and a continued awareness of things that need fixing are the keys to finding a cloud provider that you can trust with your company’s valuable information.
