As the Director of Security for a big data company operating in the public cloud, “objection handling” is becoming an increasingly important part of my job. So far I’ve been largely engaging in this proactively: educating our sales and marketing forces, writing blogs and putting together a white paper discussing our security philosophy and some of our design principles.
I have also been talking one-on-one with some of our customers who have security concerns and discussing our plans to obtain various certifications and attestations. For these customers, most of whom are cloud companies themselves, there is no barrier to entry to the cloud other than having all of the proper paperwork in order (which is something we are working diligently towards).
None of these endeavors has yet put me face to face with anything I would label a true objection to our security or the security of the public cloud in general. Yet I know these objections exist. I have heard that some companies will not even consider a cloud-based solution due to their vague “policy” regarding anything cloud.
I would like to think that these objections and vague policies are more than just the knee-jerk reactions of my policy-writing colleagues in the security world to rapidly emerging technology that they have not yet taken the time to understand. I would like to think that their policies and controls are based on well thought-through logic and grounded solidly in their respective business needs and security postures. I would sincerely hope that the vein of technological conservatism that runs within the information security community is not so deeply ingrained as to blind us to the many advantages that are available in the public cloud.
Because the fact of the matter is that the economics make cloud adoption inevitable, and the current over-crowded, expensive-to-maintain legacy situation in many enterprise data-centers is untenable. The increased productivity and decreased time to market for new and powerful services alone is enough of a driver to counterbalance some of the risks inherent in taking on any new technology or platform.
With discipline, adherence to age-old best-practices surrounding data encryption and operational security there is no reason to trust the Public Cloud any less than you trust the Public Internet or the Public Switched Telephone Network on whose shoulders this new Public Cloud firmly stands. And I will also note that massive volumes of highly sensitive data transit these other public networks constantly as a matter of business, and we as an industry and a society deal with that just fine.
At Sumo Logic, we employ encryption end-to-end and we take our security and processes very seriously. We believe that we offer a highly secure service and we have employed some of the best penetration testers in the world to shake us down, and in case that isn’t enough, we have built in features to our service that allow you to control at a very granular level what data you send to us.
I would like to start handling any serious objections that still remain out there. If there is FUD, I would like to address it head on. Where there are legitimate concerns, I want to hear about them and ensure that here at Sumo Logic we work together with each other and our service and infrastructure providers to take the proper steps to address and solve those issues. I believe that the cloud is both safe and inevitable, and considering and responding to concerns will lead to even more solid and secure solutions.