So they sold you on migrating to cloud, is that the answer to all your worries? Far from it. Migrating to the cloud can give you the convenience of easy access to your email and documents, as well as reduce overhead in terms of machines and manpower. That does not mean that you can trust your important data to a single ‘cloud’ provider, no matter who they are. Nor does it mean that it totally resolves any issues with respect to security, compliance and data protection.
When it comes to security, are you safe from Email-borne threats just because you are using a cloud email server (service)? No way. Whose responsibility is it to stop an Email-born threat you receive via your ‘cloud host’ even when the threat was imbedded in an email from another member of your own organization? Your responsibility to safeguard your local hardware from Email-borne threats is the same with any cloud-based Email server as it is without it. You still need a way to protect from email-hosted malware, spam and viruses designed to deal with the most sophisticated of targeted attacks, even if they come from another member of your own team.
Are emails moving from cloud to your local environment, be that single computer or vast local network, adequately encrypted and data leak protected to insure that any sensitive data is ‘kept secret’? You can’t rely on your cloud email provider to insure that sensitive data is being filtered from leaving your organization, and that you are blocking outbound spam and malware thus preventing your organization from becoming a source of malicious emails or documents.
Are you certain that your emails and documents are being properly kept in accordance with compliance requirements? Oh sure you are...NOT! There are strong legal and business reasons to make certain that emails and documents are retained, archived properly, and continue to be easily searchable. After all, it does absolutely no good to keep a record if you can’t find where you kept it. You need to be able to set policies that insure that important emails and documents are retained and archived for discovery even if your cloud provider is Fort Knox. You need to be confident in the fact that archived emails and documents are free from possible tampering, contamination or unauthorized removal.
If you got into a dispute with your cloud provider over an email you absolutely were confident was supposed to be in your data, that you couldn’t find, how would you prove it should be? Or that you, or another member of your staff, didn’t delete it from ‘their cloud’? Think about you answers to those two questions, why don’t you.
And what about the physical security of your ‘cloud data’… how is that going for you since your migration? Although cloud services protect data from on-premises hardware problems, perhaps even from natural disasters, there are still inherent risks associated with cloud-hosted data regardless of the host provider. Data loss, minor or major, man-made or otherwise, intentional or accidental, still have a finite probability of coming into play. In fact, you are just as apt to have one of your own users delete data from Exchange Online (or some other cloud-based email server) as when you were running your own local Exchange Server.
For years we were told to ‘backup our local data to a cloud provider’, now that our data is in the cloud are we ‘backing up our cloud data to somewhere else’ irrespective of what/where/when our cloud provider may be backing up our data? Hosted data in the cloud does not mitigate the need for backup and recovery steps that you control. If you are exclusively relying on your cloud provider for backup and recovery you may find yourself ‘crying in your milk.’ Emails and important documents, despite being resident in the cloud, are still susceptible to corruption and even pose a risk of being unrecoverable due to malicious attacks or accidental deletion. You might say, “I will just sue my cloud host if they lose my data”, but what difference does that make if what you need most is the data that was lost? It really is still ‘up to you’ to safeguard your data, just like it has always been.
People will say, "Murph you are just a worry wart..." or "Murph you are just being negative about this 'going to the cloud business..." or "Murph, the cloud is here to stay, embrace it." Well all of those things may very well be true, but don't come knocking on my door when you encounter one of the issues I have raised in this article, and you haven't taken a single step to mitigate the damages because your 'cloud provider' told you that '"things like that just can't happen in 'our' cloud."
There are solutions to all of these issues, perhaps if enough of you ask (via comments) I might just give you a few answers (in a future article) to 'those things that just can't happen.'