A production company’s accounting manager responds to a proposal from an IT consultant suggesting that the firm’s financial data be stored in a web-based application with a simple verdict: ‘Our data stays inside our own walls.’ This reaction captures the instinctive defensiveness that many Turkish SMB managers display when they first encounter cloud-based software offerings. But grounding the security debate purely in emotion makes it nearly impossible to assess either the real risks or the genuine benefits of the model.
Cloud computing means that software and data are hosted not on a company’s own servers but in a remote data center accessed over the internet. When combined with a software-as-a-service delivery model, this approach allows small and medium-sized businesses to use enterprise-grade applications without investing in expensive server hardware. Yet the questions of ‘where is my data, who can access it, and what happens if something goes wrong’ remain the most significant psychological and practical barriers to adoption.
To assess security properly, the right starting question is this: how secure is your data right now, in its current location? In most Turkish SMBs, the server sits not in a climate-controlled, access-restricted data center but on a shelf in the accounting room or a corner of the warehouse. Backups are done irregularly, or not at all. A fire, a flood, or a theft can mean irreversible data loss. A serious cloud provider, by contrast, replicates your data across multiple physical locations, enforces strict physical access controls, and runs continuous network monitoring. Making the claim that ‘cloud is insecure’ without first examining the actual security of the current setup means assuming that the status quo is safe — an assumption that is frequently wrong.
That said, the real security risks of the cloud model should not be dismissed. Transmitting data over the internet makes the quality of encryption protocols a critical selection criterion. The country in which the provider’s data center is located raises questions about whether third parties could legally access your data under that jurisdiction’s regulations. The provider’s uptime guarantee — how many hours per year the system is reliably available — matters in direct proportion to how dependent your operations become on that service. A manager who signs a contract without clearly addressing these three points is purchasing a feeling of security rather than actual security.
For a practical evaluation, it is reasonable to ask a provider for the following: whether SSL encryption is in use, the certification status of their data center, the frequency of backups and the procedures for data recovery, the compensation terms in the event of a service outage, and the format in which your data will be returned to you if you terminate the contract. A provider who cannot answer these questions or refuses to include the answers in the contract is one whose offering justifies concern. A provider who can answer them, who can point to reference customers, and who operates out of a recognized data center in Turkey or Europe is one for whom the same level of anxiety no longer has an objective basis.
The most common practical difficulty is that security assessment requires technical knowledge that most SMBs simply do not have in-house. An accounting manager is not expected to know what SSL means; but an independent IT consultant or a reference check with peer companies in the same sector is the most practical way to close that gap. Internet connection reliability is also a variable that cannot be ignored: even as ADSL connections become more widespread, outages remain unpredictable, and businesses that need real-time access to critical data must factor this into their provider selection.
When making a decision, the following framework is useful: how sensitive, how large, and how frequently updated is your data? How genuinely secure and redundant is your current server infrastructure? Does the provider you are evaluating answer the questions above to your satisfaction? Answering these three questions turns ‘is cloud secure?’ from an abstract debate into a concrete business decision. Security starts with measuring the gap between what a provider actually guarantees and what your current infrastructure can realistically deliver.
This article was originally written in Turkish by Gökhan MERCANOĞLU on May 25, 2009 and has been automatically translated into English and other languages using machine translation.