Cloud computing is all the rage for some firms. But should very sensitive HR data reside on the Internet?
Cloud computing refers to keeping data on vendors’ servers operating on the Internet or “in the cloud,” and not on a company's computers. Think software-as-a-service (SAAS).
Most experts say the advantages are many. But are they worth the risks?
Cloud hosting takes up less space, saving companies thousands of dollars by allowing them access to expensive technologies, yet companies pay only for the services they use. By “renting” rather than buying software to house payroll, benefits or recruiting data on vendors’ servers, for example, managers can relieve themselves of IT maintenance burdens. It’s convenient, too.
“Cloud computing makes an IT investment more efficient, flexible and faster and allows access to data anytime, anywhere, any place and with any electronic device,” said Jose Granado, a security expert with Ernst & Young.
But having ubiquitous access to that data make that data more prone to theft. “The more connected we become, the more exposed we are,” Granado said.
Consider this: In June 2011, Dropbox, a popular cloud storage site where 25 million people store their videos, photos, documents and other files, inadvertently left the site open for four hours on Father’s Day. The glitch let anyone log in to customers’ accounts with any password.
Now imagine if those files included sensitive employee data such as Health Insurance Portability and Accountability Act (HIPAA) information or data from E-Verify such as Social Security numbers and dates of birth.
Get the picture?
Yet, many cloud providers would have their customers believe that utilizing cloud storage is completely safe.
But is it?
“That’s a great question,” said Damon Petraglia, director of forensic and information security services for Chartstone LLC. Petraglia is a consultant for the electronic task force for the U.S. Secret Service as well. “There’s no way to know unless you assess the cloud you’re going to put your data in.”
Experts say that people looking to use cloud computing—especially HR departments—need to do their homework before putting their faith in the cloud.
Cloud computing is growing. According to Ernst & Young’s Global Information Security Survey, released in late 2010, 45 percent of companies were expected to use cloud computing by the end of 2011. According to International Data Corp. (IDC), the cloud computing market could hit $72.9 billion by 2015.
Although cloud computing services are gaining greater acceptance, organizations must still address the potential risks before they move their business applications to the cloud. Ernst & Young’s survey shows that nearly half of respondents are engaging in, evaluating or planning to use cloud-based solutions. However, the top risk most concerning businesses about using the cloud is compromised data. Not knowing the exact location is a fear as well.
“Basically, when you put data into a cloud you may not know where it is,” Petraglia said, as some Amazon customers discovered on Aug. 7, 2011, when a power outage interrupted Amazon’s only European data center in Dublin for two days, leaving the company struggling to restore customers’ data.
Data in the cloud, Petraglia pointed out, is only as safe as the company hosting it.
“So when it goes into the cloud and you let someone else be responsible for it, you’re taking a risk,” he said. If the information is compromised or hacked, the company will be on the legal hook, not the service provider.
Say, for example, “a church website has its data residing on the same server as a porn website. How well locked down is that server? If I’m the administrator for the church website, could I escalate my privileges and get into that porn site and manipulate other things on that server?”
He added: “If you have extremely sensitive data—national security data—then you do not want that comingled with people shopping for shoes and looking at porn and funny pictures of cats. You want as much possible control as you can have.”
During a session at the International Association for Human Resource Information Management, Inc. (IHRIM) conference in the spring of 2011, Brian Richards, vice president of Client Technologies for SIRVA, Inc., heralded the benefits of cloud computing for HR.
But he added that with data security “there’s no silver bullet. If you’re evaluating a vendor and are concerned with data security, look internally and see if they can do it better than your IT department. Do due diligence.” He said that, in many ways, a cloud computing provider has to demonstrate that it has good data security—more “than your IT department, because if they have a data breach, they’re out of business.”
Dev Chanchani, president of INetU, a cloud computing provider, concurred, adding that there are three broad categories to consider when selecting a cloud computing provider: physical, technical, and administrative.
“You’ll want to access logs, tour the data center, go through data center questionnaires and see who has the administrator’s password,” said Grady Summers, principal, information security, at Ernst & Young. “Make sure that the service provider can meet regulatory requirements as well.”
Summers said cloud computing can be “very secure, but companies can’t rush into it.”
There is a tradeoff, he added. “You’re going to have to accept [that] you’ll never be able to do an annual review of the data center. You might get better security, but you’ll have to adjust the way you think about security in the cloud.”
Aliah D. Wright is an online editor/manager for SHRM.