As chief information security officer for Amazon Web Services, Stephen Schmidt is surprised by how many businesses still fail to see the dangers of storing information on computers and servers in their offices rather than in the cloud.
Not only is that data vulnerable to physical calamities such as fire or hardware failure, the onus is also on the businesses themselves to protect their hardware and networks against hackers and other online attacks.
Maintaining so-called "on-premises" storage is particularly risky for small and medium-sized companies, the bread and butter of Canada's economy, since they typically don't have large IT staffs or the resources to spend on countering these growing threats.
Outsourcing data security to a cloud service such as the Amazon.com Inc. subsidiary AWS, on the other hand, is safer and cheaper because it allows businesses to take advantage of significantly greater resources, Mr. Schmidt says.
"If you have a customer who thinks they're safer on-premises than they are on the cloud because they're behind a firewall that somebody installed, they should seriously re-evaluate their risk."
It's an expected position from Amazon, which competes against a number of big technology companies including Google and Microsoft in selling cloud services to other businesses, but recent converts tend to agree.
Jour de la Terre, for example, began moving its data online last year. The 15-person non-profit, which promotes Earth Day activities in Quebec and France, had previously stored its websites, e-mail, documents and streaming videos on separate servers in its Montreal offices.
Director Pierre Lussier says he was initially nervous about putting all of his figurative eggs into one cloud basket, but that was before he realized the precariousness of his existing situation.
Much of his organization's information was managed by a single person who ended up leaving the organization. Without his collected knowledge of where all the data was and how it could be accessed, there was disarray.
"We found out how vulnerable we were," Mr. Lussier says. "It was a total mess."
Jour de la Terre is now on track to finish migrating all of its information by June. Staff have to learn how to interact with the new system, but it's proving to be more convenient and secure for everyone involved.
"You have one gate and the knowledge that [employees] go through that gate," he adds. "I've gained so much."
Axia NetMedia, a fibre-optic Internet service provider based in Calgary, began its conversion to the cloud three years ago out of necessity when it acquired a new corporate customer.
The client required more data services than Axia could itself quickly deliver, so the ISP signed on to AWS to scale up. The company, which employs 150 people and counts the Alberta government, Sunterra Farms and the Post Hotel in Lake Louise, Alta., as customers, has been moving more and more of its business to the cloud since then.
Tie Hoekstra, manager of corporate IT controls and security, believes Axia's services are more secure now because he no longer has to worry about protecting customers' data himself. That responsibility has been shifted to Amazon and its deep pockets.
"You can't duplicate the tools that they're able to give you to maintain your levels of security without spending an enormous amount of money," he says.
Google echoes that sentiment. Like Amazon, Microsoft and other cloud service rivals, the search company runs most of its operations on its own custom-designed hardware, from the servers that data is stored on to the networks that connect them.
To that end, Google in March unveiled Titan, a specially designed microchip that adds cryptographic capabilities to servers.
Each of the cloud companies effectively resell the same security they rely on for their own services to other businesses.
"Our scale allows us to build in security from the ground up," says Niels Provos, a distinguished engineer at Google. "Many of the worries you have about securing your on-premises machines do not exist in the cloud."
That's not to say the cloud is a magic font of security for all businesses. While it does solve a number of problems, it also potentially introduces new ones.
Data sovereignty, where information is stored locally in a specific country rather than on the U.S.-based servers of the big tech companies, has been a growing issue since the U.S. National Security Agency spying revelations a few years ago.
Government clients, especially, are requiring cloud providers to base their data centres within their own borders, to keep their information from crossing over into other jurisdictions.
Those requirements were the main drivers for both Amazon and Google opening Canadian data centres in the Montreal region over the past few months.
Location, however, isn't the only determining factor behind data sovereignty – local laws can also come into play and sometimes conflict.
Microsoft, for example, narrowly won a legal victory last January against the U.S. Department of Justice, which was trying to force access to customer data stored in Ireland.
Localized storage therefore isn't a silver bullet against unwanted search and seizure, which means that businesses with sensitive information will still need to seek out legal advice.
"Just because a company says you have data sovereignty, it doesn't necessarily mean that all the nations involved will agree," says Christopher Parsons, a research associate at the University of Toronto's Citizen Lab.
Mr. Parsons adds that storing data with Amazon, Google or Microsoft could also be awkward for any business that is looking to compete against those companies, a growing possibility given their respective sizes and scopes.
The companies will insist that their customers' data is sacred and that they will never access it, but the incentive will always be there.
Still, as long as businesses are aware of some of these new risks, the cloud can indeed provide capabilities they can't otherwise access.
"Google's [and other cloud providers'] security team will almost inevitably be better than what you can provide," Mr. Parsons says.