Thomas Trappler

Thomas Trappler, director of software licensing for UCLA, also works to help companies mitigate risks when hosting their data on cloud-based servers. “It’s easy to overlook security because of the virtual nature of the cloud,” he said.

Genaro Molina | Los Angeles Times

LOS ANGELES — When Thomas Trappler talks clouds, companies listen.

But he’s not warning about rain. Rather, Trappler is a “cloud” consultant, who tells attorneys, executives and fellow information technology experts what to look out for when they put company databases in the so-called cloud.

As more companies rely on remote cloud servers to store their files, Trappler has become a highly sought-after security adviser, a celebrity of sorts in the rapidly growing cloud computing industry.

“No one’s teaching people about this,” Trappler said. “At the moment, I don’t think there are very many people like me.”

Trappler is the director of software licensing at UCLA — a job that opened the door to his lucrative moonlighting.

For years, he had been buying licenses for programs, such as Microsoft Office, so that UCLA faculty, students and staff could use them.

But the rules started to change five years ago as these programs moved into the cloud, turning into apps such as Office 365.

Trappler studied until he became a go-to expert nationwide.

“It’s easy to overlook security because of the virtual nature of the cloud, but really your data is going over the Internet to another computer and not to some magical world where everything’s going to be fine,” he said.

$40 billion industry

The $40 billion cloud industry, as measured by the research firm IDC, is attractive to companies. By transferring files via the Internet to a hard drive located in a data center or server farm, users can access the data from any Internet-connected device.

Online retailer Inc. is one of the largest data center providers, housing data on behalf of thousands of companies including Netflix Inc., Dropbox Inc. and Autodesk Inc. Other large cloud providers are Google Inc., Microsoft Corp. and Rackspace Inc.

What troubles Trappler is that not every company considers security

issues before agreeing to bounce consumers’ data onto the cloud services. Half of companies surveyed in December by Ponemon Institute, an independent research firm, reported they had not taken security risks into account when striking cloud deals.

“What most of us are used to is ‘I buy it, I maintain it,’” Trappler said. “If something’s broken, I can beat on someone’s door down the hall and get them to fix it.”

Now “it” and “someone” are far away. “And the question is, how do I ensure they do it right,” Trappler said.

Prominent threats

With spies after trade secrets, hackers out to steal sensitive financial information and the federal government demanding online communications records, the threats are as prominent and varied as they have ever been.

And companies aren’t the only ones at risk. Consumers who use Web applications are caught blind in the middle. They often are not told where their sensitive information is being stored and what precautions are being taken to ensure that it’s not seen by the wrong eyes.

For example, Google’s Cloud Platform website lists as a client. But the retailer recently moved customer data off the cloud, spokesman Jonathan Sandler said. Its privacy policy doesn’t note where data are stored. The policy does state that Best Buy takes “reasonable security measures to protect the confidentiality of personal information under our control and appropriately limit access to it.”

Trappler has advised more than 50 companies and has spoken to hundreds of people at conferences about what qualifies as “reasonable measures.” Among his clients are a pharmaceutical firm from New Jersey, a biotechnology company from Southern California and a higher education system in the Midwest.

They could not be named because of confidentiality agreements.

Check reputation

He suggested that companies consider, among other things, encryption methods and reliability of the storage computers. Other possibilities include background checks of the cloud provider’s employees and clear notification policies in the event of a breach.

The biggest sticking point in deals is often deciding who’s responsible for the repercussions when data are stolen.

Companies want cloud providers to pick up the tab, since sometimes they have little insight into security measures.

“The client wants to be able to verify the service provider’s security claims,” Trappler said. “But the more details they reveal, the less secure the provider’s infrastructure becomes.”

Some cloud providers certify that they meet standards set by the government or third parties when it comes to storing financial and health care data. But few let potential or current clients test physical or digital security.

David Tollen, author of “The Tech Contracts Handbook,” said all a consumer can do is see whether the company he or she is dealing with has a good reputation of trust. “Scale is sometimes a good proxy for knowing a service provider’s ability, because a large vendor is likely to have done their due diligence,” he said.

(0) comments

Welcome to the discussion.

Keep it Clean. Please avoid obscene, vulgar, lewd, racist or sexually-oriented language.
Don't Threaten. Threats of harming another person will not be tolerated.
Be Truthful. Don't knowingly lie about anyone or anything.
Be Nice. No racism, sexism or any sort of -ism that is degrading to another person.
Be Proactive. Use the 'Report' link on each comment to let us know of abusive posts.
Share with Us. We'd love to hear eyewitness accounts, the history behind an article.