About Andrew Hay

Andrew Hay is an information security industry veteran with close to 20 years of experience as a security practitioner, industry analyst, and executive. As the Chief Information Security Officer (CISO) at DataGravity, Inc., he advocates for the company’s total information security needs and is responsible for the development and delivery of the company’s comprehensive information security strategy.

Andrew has served in various roles and responsibilities at a number of companies including OpenDNS (now a Cisco company), CloudPassage, Inc., 451 Research, the University of Lethbridge, Capital G Bank Ltd. (now Clarien Bank Bermuda), Q1 Labs (now IBM), Nokia (now Check Point), Nortel Networks, Magma Communications (now Primus Canada), and Taima Corp (now Convergys).

Andrew is frequently approached to provide expert commentary on security-industry developments, and has been featured in such publications as Forbes, Bloomberg, Wired, USA Today, International Business Times, Sacramento Bee, Delhi Daily News, Austin Business Journal, Ars Technica, RT, VentureBeat, LeMondeInformatique, eWeek, TechRepublic, Infosecurity Magazine, The Data Center Journal, TechTarget, Network World, Computerworld, PCWorld, and CSO Magazine.

Is Data Safer on Premise or in the Cloud? It Depends.

Over on the Alert Logic blog the question is asked: “Is Data Safer on Premise or in the Cloud?”. Unfortunately there is no simple yes or no answer. The only answer to this question is it depends. The point of the Alert Logic post, however, is not to convince you to move all of your infrastructure into the cloud but rather to convince you to use Alert Logic’s SaaS application which is conveniently located where….you guessed it, in their datacenter.

Alert Logic mentions the SAS 70 Type II audit standard that, based on the few that I have reviewed, are very subjective and a tad fluffy when it comes to how the results are measured. But hey, clouds are supposed to be light and fluffy right? I like the idea of SAS 70 audits more than I actually like the results generated by them. I’m not saying you should completely disregard a SAS 70 Type II audit when a vendor hands it to you but rather use it as a springboard for deeper questions about the company background, monitoring practices, information and communication systems, and how the results of the testing were generated (and can they be reproduced).

The title of the Alert Logic blog post was what initially made me open it up in my RSS reader. I was a little disappointed that it was more of a product pitch than a debate on cloud vs. premise. When I say that the answer to that question is it depends…well, it does. The average small to medium business typically does not have the capital, or experienced personnel, to implement a true security management program AND implement/maintain the required technical controls to enforce the policy. This is where cloud security has the opportunity to shine.

Positioning moving your datacenter to the cloud under the guise of “increased security” won’t fly with me until someone can take my hand and walk me down to the proposed new home for my datacenter. I want to see, with my own eyes, the network, host, physical, and operational security capabilities, policies, and procedures that my service provider will follow. That might ease my mind but it will certainly take a lot of convincing to make me believe that you can meet the following equation:

(cloud solution security + cost savings) > (my current security)

Andrew Hay