It bugs me that for some irrational reason there is still a common-sense believe that data is more protected when kept in someone’s own datacenter and not with a trusted cloud provider.

US Department of Health and Human Services (HHS) has just published data on past year data breaches in the medical industry. These only include breaches affecting 500 or more individuals and reaching the “harm” threshold defined by the current rules. Yet, there 166 of those affecting the total of 4,905,768 patients.

PHIPrivacy.net does a good job analyzing the breach data, and you can see that even in the industry which is highly regulated and paranoid about data security and privacy – data being stored locally is getting stolen or lost all the time.

Compare that to a cloud provider (pick any cloud service which you like: Salesforce.com, Microsoft BPOS, Amazon, Google Apps, Quest OnDemand) – have you heard of 166 breaches for any of those? There are good reasons why you have not:

• High security standards of the datacenters: a lot of these are compliant with SAS 70 Type I and Type II and ISO/IEC 27001:2005 – does your datacenter get formally certified that high?
• Clear segregation of duties: people running the datacenter are not your employees, they have no idea what kind of data is getting stored by who and no vested interest in seeing that data,
• Needle in a haystack effect: public clouds have multiple customers, so even if a squad of ninjas attack the datacenter and manage to steel a harddrive it will just have some bits from data from various customers in format specific to a particular application and probably encrypted – making the whole exersize completely meaningless,
• No local device data: your local laptops or mobile devices only work with remote cloud data – so if the device gets lost or stolen you loose the device, not the data.
• Security is in the cloud business model: for any credible SaaS vendor security is number one concern (see for example Quest OnDemand security FAQ). They implement specific security measures such as data isolation, audit trails, and so on.

It is just incredibly hard and costly to set all these measures and maintain them, and I find it hard to see how (apart from really select few companies) these days will have the resources to provide that level of protection and security for on-premise systems. Cloud makes things more secure. Cloud is good for you.