Expert: Cloud risk often overlooked
LOS ANGELES – When Thomas Trappler talks clouds, companies listen.
But he’s not warning about rain. Rather, Trappler is a “cloud” consultant, who tells attorneys, executives and fellow information technology experts what to look out for when they put company databases in the so-called cloud.
As more companies rely on remote cloud servers to store their files, Trappler has become a highly sought-after security adviser, a celebrity of sorts in the rapidly growing cloud computing industry.
“No one’s teaching people about this,” Trappler said. “At the moment, I don’t think there are very many people like me.”
Trappler is the director of software licensing at UCLA – a job that opened the door to his lucrative moonlighting.
For years, he had been buying licenses for programs, such as Microsoft Office, so that UCLA faculty, students and staff could use them. But the rules started to change five years ago as these programs moved into the cloud, turning into apps such as Office 365. Trappler studied until he became a go-to expert nationwide.
“It’s easy to overlook security because of the virtual nature of the cloud, but really your data is going over the Internet to another computer and not to some magical world where everything’s going to be fine,” he said.
The $40 billion cloud industry, as measured by the research firm IDC, is attractive to companies. By transferring files via the Internet to a hard drive located in a data center or server farm, users can access the data from any Internet-connected device.
Online retailer Amazon.com Inc. is one of the largest data center providers, housing data on behalf of thousands of companies including Netflix Inc., Dropbox Inc. and Autodesk Inc. Other large cloud providers are Google Inc., Microsoft Corp. and Rackspace Inc.
What troubles Trappler is that not every company considers security issues before agreeing to bounce consumers’ data onto the cloud services. Half of companies surveyed in December by Ponemon Institute, an independent research firm, reported that they had not taken security risks into account when striking cloud deals.
Trappler has advised more than 50 companies and has spoken to hundreds of people at conferences about what qualifies as “reasonable measures.”
He suggests that companies consider, among other things, encryption methods and reliability of the storage computers. Other possibilities include background checks of the cloud provider’s employees and clear notification policies in the event of a breach.
The biggest sticking point in deals is often deciding who’s responsible for the repercussions when data are stolen. Companies want cloud providers to pick up the tab, since sometimes they have little insight into security measures.
“The client wants to be able to verify the service provider’s security claims,” Trappler said. “But the more details they reveal, the less secure the provider’s infrastructure becomes.”
Some cloud providers certify that they meet standards set by the government or third parties when it comes to storing financial and health care data. But few let potential or current clients test physical or digital security. The clients are left feeling insecure, although they may be on the hook if something goes wrong.
David Tollen, author of “The Tech Contracts Handbook,” said all a consumer can do is see whether the company he or she is dealing with has a good reputation of trust.
Some in the cloud contracting business expect to see more regulations related to cloud storage. But until that happens, people such as Trappler remain important guardians of data.