Is the Cloud really less secure than onsite?
Cloud security. It’s one of the most frequently cited concerns for businesses that are considering moving their applications and data to a cloud provider.
The common belief is the company’s data is more secure on company-owned servers at onsite data centres. But how true is this? Are data more secure because they’re on a server you can see? If you compare your onsite security with one or more cloud providers, how do they stack up?
While every company cares about security, a cloud provider’s entire reputation depends on providing a secure environment for hosting data. Any significant breach would severely impact user confidence and directly impact revenue. Because of this, cloud providers are investing heavily in security, personnel, software and process to protect their infrastructure and cloud users. Microsoft alone is reportedly investing $1 billion a year in cyber security research and development.
Cloud providers are able to make large investments because they have the customer base to support it. Their level of investment is way above what most companies could put into their in-house security budget, particularly because security protection doesn’t directly generate revenue. Most companies are putting what security investment they do have into protecting against today’s threats, rather than researching and protecting against future dangers.
Cloud providers operate dedicated security operations centres with teams of security experts who are monitoring their estates around the clock, 365 days a year. Most cloud providers operate on an “Assume Breach” model rather than focussing solely on prevention, and make use of an extensive range of software tools to detect, respond and recover from attacks.
Much of this software is developed in-house and uses techniques such as advanced threat analytics, big data and machine learning to discover trends, and recognise and respond to threats quickly. Alongside this, many providers have teams of security experts whose only job is to simulate attacks on the infrastructure and test these detection and response processes.
Most companies, even very large ones, have very limited security resources who spend all their time reacting to issues and requests. Actively testing and simulating potential threats is rarely going to be an option given the lack of time and resources.
To meet the security commitments they make to clients, cloud providers rely on rigorous process and security controls. Strict separation of staff roles and even location exists between those who can access hardware and those who can access data. Entry to data centres is kept to an absolute minimum and staff are monitored at all times.
eveloping and applying this sort of strict process would be challenging in an onsite data centre, especially for smaller organisations that cannot afford to have separate resources for hardware maintenance and application maintenance. For Platform and Software as a Service offerings this process also extends to patching and updates, which as we have seen with recent large-scale cyberattacks, such as “WannaCry”, is a critical area in which many on-premises IT departments have found lacking.
Compliance is another area in which cloud providers have invested heavily out of necessity to win business in regulated sectors, such as the insurance industry. Big cloud providers such as Microsoft, AWS and Google have many certifications already in place, spanning both industries and countries, including national governments and defence. This can save significant time and cost for companies that need to adhere to standards such as Payment Card Industry Data Security Standard or Service Organisation Control.
Even for companies that don’t need this level of compliance, the work that’s done to meet these compliance targets benefits everyone. Gaining even a single compliance certification is a big job for an in-house team, many of whom will have few resources with compliance expertise. For companies that have a need to be compliant with a standard, being able to use a cloud provider that has already done the work for them, at least for the infrastructure layer, can be a significant time-saver, both initially and with ongoing certification.