Ross Schulman is a Policy Manager at Google
Earlier this week, Leviathan Security Group released three white papers that explore cybersecurity in cloud computing versus local storage. Each paper examines a different aspect of security and storage, including availability, cost, and talent acquisition. In general, Leviathan finds that cloud solutions are generally more secure, resilient, and redundant than local equivalents.
A few data highlights:
Cloud services provide much better resiliency and redundancy than local services in the face of disasters of all sizes—from small transformer explosions that affect 30,000 users to superstorms the size of Thaiphoon Haiyan. This means quicker data recovery and the ability to keep communications infrastructure like email up and running, which is essential in a post-disaster environment.
Even with increasing emphasis on STEM education and growth of computer science programs, organizations—private and public—will not be able to acquire all of the talent necessary to satisfy the demands of local storage infrastructure. For example, there are currently over a million open security positions worldwide, but beginning in 2017, all of the GCHQ-led cybersecurity programs together will graduate just 66 PhD's per year.
Of note for numbers lovers, the paper titled “Value of Cloud Security: Vulnerability ” lays out a thorough analysis of storage needs for companies of different sizes and compares cost of cloud versus local storage solutions. They find that cloud solutions are cheaper for small organizations in the near term and provide better security because of the expertise, which is concentrated in large organizations.
So what do these findings mean from a public policy point of view? Many countries, including Brazil and Russia, have proposed laws requiring that companies keep the data of that country’s users within national borders. This idea, known as “data localization,” purports to keep citizen users safer and out of the hands of spying governments and hackers.
However, forced data localization prevents companies, governments, and organizations from realizing many of the benefits afforded by cloud services. For example, if a local data center is impacted by a natural disaster, that data is not replicated elsewhere and thus is lost. And given the shortage of security expertise, there’s simply no way that every organization’s security infrastructure for locally stored data can keep up with the state of the art. Finally, preventing small enterprises like startups from using cloud services means that they must take on additional costs in terms of talent and infrastructure, and will likely end up with systems that are less secure than what cloud infrastructure would provide. In the end, data localization reduces opportunities, results in weaker security, and, in some instances, compromises the availability of data.
To learn more about data localization proposals around the world, check out Anupam Chander's paper, "Breaking the Web: Data Localization vs. the Global Internet ."