Security in the Cloud

In the nineties, I founded a company that provided rich media content management software. We deployed it as a Software as a Service solution (or, in the parlance of the day, we were an “Application Service Provider”). 

We had some small success selling to large enterprises (Starbucks was an early customer) but most large IT departments shut us down cold. “We only buy software that we can install and run behind our own firewall,” was the refrain I heard over and over again. “Our data is so important that we need to run it on our own servers so that we can hug them anytime.”

I learned the hard way about how difficult “Missionary Selling” is. We had to spend the first 3-4 meetings with a potential customer just evangelizing the concept of Software as a Service before we could even begin to sell the advantages of our particular product.

And so I read with interest an article today in the Wall Street Journal about how Google — one of the most security-conscious companies of the 21st Century — has decided to move all their internal applications to outside servers in the cloud. 

What’s happened, of course, is two things: (1) cloud infrastructure is now usually the highest-performance way to run an application; and (2) companies have realized that running applications and data internally does not equal safety (recent security breaches at Sony, Target, and Anthem have proven that).

What matters is writing software with proper authentication, authorization, and encryption.

The physical location of the server doesn’t provide security — good software engineering practices and processes are what provide security.