Yesterday’s newspaper had a good rant in the letters to the editor about stupid enterprises, where more than 60% had not outsourced their email to the cloud yet.  It got me thinking: Are the enterprise managers avoiding the cloud stupid?  Or might they be reacting according to some of the basically sound principles for security

  • If I do not understand it, avoid it. True security assessments can only be made for things I understand. Since the cloud email solutions are somewhat new, they tend to get bitten by this.  And some of the business models are not well understood, or well explained (for example: paying with your personal information or your clicks, as opposed to paying cash).
  • If it is too good to be true, it is too good to be true. Avoid deals that are too good to be true,  in this case free (or cheap) email.
  • Giving the US government access may not benefit my business.  The Patriot Act and other regulations give extensive access to infrastructural components, including cloud servers, even if they are not located in the US.  Oh, and this goes for a number of other governments as well, I am using the US as an example since most major cloud suppliers are governed by US law.
  • What is the bribe level for gaining access to my data? A month’s paycheck will get you access in many countries, and in low cost countries the bribe level may be too low for you to expose your data to the country.  Some West-European banks outsourcing operations to Ukraine ran into this thinking in the security audit.
  • Unclear value chain may turn out to be expensive for me in the long run.  My business intends to be here for the long run.
  • What happens if they loose my data?  What do I know about their backups?

Most if this boils down to how to trust something ephemeral, like a cloud.  Personally, I like clouds.  But I have taken the time to read and study up on them, and not every manager out there has the time or the same policy inclination I do (weirdly, some people do not read cloud audit guidelines late at night).

It turns out, that yet again, people are not stupid.  Even managers are not stupid.