In this Q&A, Adam Simpson, CEO of Easy Office Phone Inc., a provider of cloud-based business phone service, discusses current cloud risk concerns. This Q&A has been edited for length, clarity and editorial style.
Could you talk about some of today's cloud risk concerns, particularly in terms of cloud vs. on-premises software?
When you put your data … in the cloud, it makes it more accessible to you -- but it also means you have cloud risk concerns that you have to consider.
CEO, Easy Office Phone
Adam Simpson: Let's say that you've got an email server. Perfect example. You put that server behind your firewall. You can access it internally, and you can open it up to the Internet so that you can access your email remotely. Of course, there are security risks in doing that.
The other option is to put your mail server in the cloud. When you put your data … in the cloud, it makes it more accessible to you -- but it also means you have cloud risk concerns that you have to consider. Those would be the security risks of the cloud service provider.
So what you'd want to know [is] what kind of security measures they have in place. Some of the threats that you would generally encounter could be [distributed denial of service (DDoS)] attacks, data loss, data breaches, insecure [application program interfaces (APIs)] and the like. So when you're going into the cloud, instead of worrying about your own security behind the firewall, you need to worry about cloud provider security.
Cloud service providers generally have more resources than you do to implement security, to monitor security and to implement best practices. If I'm a customer and I have systems behind a firewall, I'm relying on my own IT staff to make sure that that firewall is secure, to make sure that it's kept up to date with the newest software, to monitor it for any security breaches.
We see this problem a lot with small businesses. For instance, we've had lots of small businesses who have decided to run a phone system, an Internet-based phone system, behind a firewall.
What invariably happens is that they have to make it accessible to the Internet and then they get hacked. They get hacked because they're not keeping up on software patches, which is basically a weekly exercise that you have to go through. You need to make sure that you keep up on newest software versions and best practices for security. Unless you're an enterprise, that's a lot of work.
What best practices should people keep in mind about cloud risk concerns when moving into cloud environments?
Simpson: The first, I would say, would be to consult experts who can recommend secure cloud application service providers … that have implemented proper security that has been tested. Also, those experts will be able to tell you, either through the cloud provider or themselves, what type of encryption and security measures need to be implemented in your own organization to use those cloud services.
So for instance, when you're offloading your security and data to a cloud service provider, you're basically not worried as much about understanding security in your own environment. You need to make sure that they are implementing proper security in their environment because that's where the data is stored now.
Most companies are now sharing data with employees outside the office, so cloud services make sense for them. So when you go to a cloud service provider, you want to ask them what best practices and recommendations that they can recommend to you as a customer to implement in your own organization in order to use their services securely.
You also want to ask that cloud provider security questions such as: 'What kind of security practices does your organization have in place to protect security? Have you ever had a breach? What do you do as [an] organization to protect my customer data from being breached?' It's really important that you know that. It's the same as if you bought some software … to install on a computer behind your firewall -- you would ask: 'Is this software secure? Is the data encrypted? How many users access it from the Internet?'
You're shifting that responsibility from your own network out to a third party, so you have to really know that provider and make sure that they have the best practices in place as well.
What, specifically, should companies be looking for in terms of cloud-provider security? What exactly do they need to know?
Simpson: You want to know that they have strong encryption techniques in place. You want to know that they actively monitor security breaches and implement best security practices. Encrypting data inside the cloud, for instance, would be a good one.
You also want to know about the facility they're housing this stuff in. Is it a secure facility? Can insiders or employees gain access to it? You want to know who can access that data and how can they access that data.
You also want to make sure that they have APIs and that they have protection for data loss. That's important, because you want to know what kind of backup systems they have in place in case the data was ever destroyed or removed in some sort of security breach.
The last thing I would want to know about is: What kind of protection does the cloud service provider have in cases of things like denial-of-service attacks? Because when you go to the cloud, if it's a cloud that's not on a private managed Internet connection that only the customer can access, you basically have to worry about hackers who could attack the … cloud offering as a whole and take down every customer that's connected to it. So you want to know how they protect against that.
As I mentioned earlier, one of the benefits of a cloud provider is that they have the resources and the staff to invest in security and monitoring. But for a small organization or a medium-size organization, that's a very costly thing for them to implement inside their own organization. Companies spend a lot of money doing that and they're not always successful at it.
What are some of the security threats that people should be watching for in terms of cloud-based or Internet-based telephone calls?
Simpson: With voice over IP technology, you want to make sure about the user credentials that you use, [for instance,] if you install it on a laptop or you install the application on a cell phone. You want to make sure you keep user names and passwords secure, so you don't want to send them through email. You don't want to share them with other employees because, otherwise, somebody else can get access to them.
The other thing is, as I mentioned with voice over IP, is that having a private managed Internet connection from the voice over IP provider is very helpful because it allows the provider to implement security on that voice connection. It means they can encrypt the data … so nobody can eavesdrop on that voice call.
Some voice over IP offerings in the marketplace go over [the public] Internet, rather than over a private Internet connection, like traditional landlines would go over a basically private connection. [In such cases,] the only way to listen to a call would be to actually physically wiretap it. A private Internet connection makes it very difficult to eavesdrop on calls. So when [your phone calls] are going over the Internet, you have to be concerned about the voice provider as to whether those calls are encrypted, or do they go over public Internet space where they could be eavesdropped on.
Another thing is recording calls. A lot of voice providers offer features such as being able to record calls, so you want to know how … those recordings are secured and where they are stored.
Even things like call records are important. A voice provider like us stores call records in a database for the customer so that they can access them from anywhere. You want to know whether that provider is using best-practice security measures in order to secure those call records and that user data that they're hosting for you.
Let's look into the future a bit. What do you see emerging in terms of cloud and Internet phone trends?
Simpson: First, the demand for managed Internet will increase significantly. As cloud-based phone service becomes the norm, the intersection between voice and data traffic will become especially important. Businesses will come to demand managed Internet service. Private Internet use will increase, too, as companies move to reduce cloud risk concerns, tighten security and protect data.
What do you see in terms of the bring your own device (BYOD) movement?
Simpson: BYOD will shift to 'join our cloud.' Although mobile devices are becoming more powerful, the world is becoming less device-centric. Companies are going to focus primarily on application, network and content environments that drive and enable a truly connected workforce. They'll focus less on asserting control over specific device choices. Employees will find it increasingly simple to understand company procedures, get up to speed on internal systems and access shared resources.
Finally, what do you see on the horizon for small and midsize businesses (SMBs) in terms of cloud computing?
Simpson: The cloud will make SMBs global and drive greater customer satisfaction. Time zones will become nearly irrelevant. Cloud technologies will enable SMBs to become truly global operations, able to serve clients 24/7 with local presence in numerous countries.