Cloud security can keep people up at night. Anxiety about migrating current data amidst the onslaught of downtimes and breaches can be daunting to imagine. Because what if it happens to you, the nonprofit?

Here’s a recent comment I made on Tech Soup’s “Security: The Scary Part of Cloud Computing:”

…The cloud can make good business sense, but sadly, FUD is ultimately where the story stops for some folks because of the misconceptions re: cloud security. “Is cloud computing more secure? Less secure? 100% secure?” I mean, they’re legitimate concerns, but without context, questions like these can’t be answered upfront with “yes” or “no.” By context I mean: what data are we migrating to the cloud? Where is it being stored and how? What equipment are they running on? What’s the value of the data and the risks if it got into the wrong hands? Who exactly is handling the organization’s data on the other side? Not all cloud vendors handle their security similarly, and not all cloud vendor offerings are made equal. As illustrated by The Register article, even some SaaS services can offset parts of THEIR infrastructure stack to other cloud vendors, so this further throws in more complexity to the “security” issue…

(Read the article here, too. It’s an excellent summary of another presentation given by Donny Shimamoto during NTEN’s Cloud Computing Summit)

I should elaborate on my comment. I just happened to be reminiscing about another thing I’ve seen somewhere.

I’m not against cloud computing. I’m actually all for it and an advocate of helping nonprofits weave it into their objectives only if it makes good biz sense.

The ”security” part tends to get  judged in absolute binary — the “Cloud” being either “more secure” or “less secure.” If taxonomy confusion wasn’t enough, now there’s the issue of what a totally secure cloud should look like.

The hard truth is that there’s no magic formula for security. Understandably, you’re giving up total control and oversight of your data. The anxiety is natural, but concluding cloud security in these absolutes is impossible, not because the tech is young or because people like being evasive, but because of the depth and breadth of IT security.

More secure? Less secure?

To visualize cloud computing, I broke it down in another blog post: The Simplest Way to Understand the Cloud

It’s really about the elasticity, scalability, and the rapid delivery of utilities and resources without worrying about the maintenance and upkeep of the underlying technologies to do it. This is also what allows for the pay-as-you-go or pay-per-use business model.  But what parts of the infrastructure get offset and how deep down the cloud computing stack you go is driven by your organization’s needs.

Here’s what the “offsetting” might look like:

The same IT issues that might’ve challenged in-house systems and personnel no longer become an in-house undertaking: this is now the vendor’s undertaking, but it doesn’t free you from evaluating the best vendors who will match your security standards. And it doesn’t free you from at least enforcing basic security and common sense policies within your organization, too:

A nonprofit’s security policy should also be strong, or at least taken seriously. If a nonprofit’s in-house network security ranks poor, applications haven’t been patched in ages, the staff has shady computing habits, or password policies are just “whatever,”…  Well, data can still be vulnerable via these other trajectories. A nonprofit’s faith invested in a cloud vendor must also be matched by the faith invested in the security policies within their own perimeters.

So the point of all this? Security means different things throughout the many technological processes affecting each layer.

• How is data handled, authenticated, authorized, and encrypted?
• What are their application processes like?
• Their infrastructure?
• How competent and experienced is a vendor’s personnel?
• What are the contingency and/or backup processes in case of downtime or breaches?

The list goes on.

So, you can’t carpet-bomb the entirety of cloud computing as either “less secure” or “more secure” because of the lack of context from which the question is typically asked. Too many variables can play into the strength and reliability of a vendor’s security.

So what’s a nonprofit to do?

So far the consensus is to take a holistic approach:

• Know what technology resources you have right now.
• Know what parts of your resources can be possibly offset.
• Know what your security requirements are.
• Know how to evaluate cloud vendors based on those requirements.

The better question to ask:

Will a cloud vendor have better resources to handle both the security and delivery of utility than if it were to be done by the nonprofit alone?

And if true:

Does the cloud vendor proactively adhere to best (or even better) practices and the most stringent standards of security, reliability, and data integrity? (more on this here.)

Most cloud vendors will have this capacity and the certifications for all of this.

Sum up

Do understand the risks and the trade-offs, but don’t forget how important cloud computing can be to your in-house operations: Does cloud computing help your organization grow? Does it take the mission further? Get things done efficiently or cost-effectively? How valuable is your data and what can you afford to entrust to a third party? What are the opportunity costs of NOT integrating cloud computing? Would it make better sense to be part cloud while keeping certain functions in-house?

Just don’t let FUD end the discussion.

So what’s your story? Are you in the middle of integrating cloud computing into your organization? Love stories or heartbreak in the cloud? Share it in the comments.