CEO of 1Password.
When we think of protecting business data, we tend to think of company secrets: pending patents, decades of source code or a world-changing algorithm. But just as important is the data we hold about people: our suppliers, customers and employees.
Gathering information is inevitable when doing business today. But it’s not just the obvious things like credit card details and Social Security numbers. Even people’s names, emails and IP addresses can be used to identify individuals, so we have an obligation to keep them safe. But in the 21st century, this stuff oozes out of the woodwork. Anywhere you talk to customers, you’re likely collecting reams of data, both manually and through automated systems.
In the good old days, when information lived on pieces of paper, a security model based on the fortress made sense. What we call on-premises security was all the security we needed: our walls, locks and security guards protected everything, our data included. Simple.
It even worked well when computers started landing on desks, because those computers, their accompanying floppy disks and the data stored on them stayed on the premises too. But then, of course, the internet happened. You’ve probably heard of it — bit of a game-changer.
Suddenly, data started to dribble through company walls via copper cables in the form of electronic messages called “e-mails” (complete with a quaint hyphen for your nostalgic pleasure) and the digital files attached to them.
Then, as a bit of a curveball, the lowly USB stick came along. Suddenly your whole team was shuffling bits of data between computers and these thumb-sized gadgets. They were a boon for convenience but a nightmare for security: file control went out of the window, and suddenly every USB port in the office was an attack vector for computer viruses and other malicious code brought in through the front door (and right past the security desk) on a USB stick in someone’s pocket.
But still the old idea of the fortress held on. We set up firewalls to monitor all internet traffic going in and out. We implemented security policies banning the use of USB sticks on company computers. And we installed antivirus software on every machine so we could make mini fortresses of them too.
But as internet connections became ubiquitous (and much, much faster), the software that once ran locally began to add online functionality, and pretty soon we realized that when these apps ran entirely in the cloud, things were just better. We could work from anywhere. Data could be shared in seconds. We didn’t lose hours of work because we deleted the wrong file or a blue screen appeared to ruin our day.
But when the cloud took our software, it took our data with it. It’s not just the obvious places like Dropbox or Google Drive — the cloud services designated for data storage. The cloud is everywhere: your email services, your collaboration and messaging tools, and certainly any services you use to talk to your customers. They all hold sensitive data. And then there’s the apps you don’t even know your team is using, the ever-present specter of shadow IT.
The old model of the fortress no longer holds up — largely because it’s impossible to tell where the walls are anymore. We need to think predominantly in terms of online security because that’s where many of the threats are now. Whether they take the form of data breaches, phishing attacks or credential stuffing, there is no shortage of faceless, nefarious scammers using every trick in the book to get hold of data they have no right to access — usually with the end goal of stealing or extorting money.
Yet, even with the rise of the cloud, we sometimes strive to extend the on-prem model — and to the breaking point. We create virtual private networks to extend the fortress walls around home workers. We install cloud services on company servers to wrestle back some semblance of control.
But the cloud isn’t going away. The benefits far outweigh the challenges, but we do need to take those challenges seriously. When we outsource services to the cloud we are also, to some degree, outsourcing security. That means not only understanding the security measures cloud services employ, but also being smart about how we choose to use them. A service may be invaluable to our day-to-day productivity, but it may not be suitable for storing sensitive data of any kind.
As long as we are physical beings using physical devices, we’ll need on-prem security. But it’s past time we fully embraced the cloud and tackled cloud security with thinking that doesn’t cripple its benefits.
Ultimately, I believe cloud vs on-prem is an irrelevant discussion. We need a robust answer to both, but especially in the case of the cloud, we need to stay adaptable and mindful of emerging threats. Good security is a mindset and a process — not an end state.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?