Microsoft Azure MVP Sam Cogan looks at cloud security, exposing what he calls the ‘great data myth’.
Cloud Security is one of the most frequently cited concerns when businesses are considering moving applications and data to a cloud provider. The common belief is that the company’s data is more secure being held on company-owned servers at on-premises data centres. But how true is this? Is data more secure because it’s on a server you can go and look at? If you compare your on-premises security with one or more cloud providers, how do they stack up in some key areas?
Whilst every company cares about security, a cloud provider’s entire reputation is dependent on providing a secure environment for hosting data. Any significant breach would severely impact user confidence and directly impact their revenue. Because of this, cloud providers are investing heavily in security, personnel, software and process to protect their infrastructure and cloud users. Microsoft alone is reportedly investing $1 billion a year in cyber security research and development.
Cloud providers are able to make such a large investment because they have the customer base to support it and these same customers will directly benefit from improvements in security. This level of investment is way above what most companies could put into their in-house security budget, particularly because security protection does not directly generate revenue. Most companies are putting what security investment they do have into protecting against today’s threats, rather than researching and protecting against future dangers.
Cloud providers operate dedicated security operations centres with teams of security experts who are monitoring their estates around the clock, 365 days a year. Most cloud providers operate on an “Assume Breach” model rather than focussing solely on prevention, and make use of an extensive range of software tools to detect, respond and recover from attacks.
Much of this software is developed in-house and uses techniques including advanced threat analytics, big data and machine learning to discover trends, and recognise and respond to threats quickly. Alongside this, many providers operate teams of security experts whose only job is to simulate attacks on the infrastructure and test these detection and response processes.
Most companies, even very large ones, have a very limited amount of security resource who spend all their time reacting to issues and requests. Actively testing and simulating potential threats is rarely going to be an option given the lack of time and resources.
To be able to meet the security commitments they make to clients, cloud providers rely on rigorous process and security controls. Strict separation of staff roles and even location exists between those who can access hardware and those who can access data.
Entry to data centres is kept to an absolute minimum and staff are monitored at all times. Developing and applying this sort of strict process would be challenging in an on-premises data centre, especially for smaller organisations where they cannot afford to have resources dedicated to hardware maintenance that are completely separate from application maintenance.
For Platform and Software as a Service offerings this process also extends to patching and updates, which as we have seen with recent large-scale cyberattacks, such as “WannaCry”, is a critical area in which many on-premises IT departments have been found lacking.
Compliance and Audit is another area where cloud providers have invested heavily out of necessity to win business in regulated sectors, such as the insurance industry where our clients have expressed this as an important consideration when switching from on-premise.
Big cloud providers such as Microsoft, AWS and Google have many certifications already in place, spanning both industries and countries, including national governments and defence. This can save significant time and cost for companies who need to adhere to standards such as Payment Card Industry Data Security Standard (PCI) or Service Organisation Control (SOC).
Even for companies that don’t need this level of compliance, the work that is done to meet these compliance targets, and to be regularly renewed, benefits everyone. Gaining even a single compliance certification is a big job for an in-house team, many of whom will have little resource with compliance expertise. For many companies who have a need to be compliant with a standard, being able to use a cloud provider that has already done the work for them, at least for the infrastructure layer, can be a significant time saver both initially and with ongoing certification.
Today’s large cloud providers are able to make significant investments and use the benefits of scale and rapid development to provide high levels of security, monitoring and threat detection and to develop the processes to handle a breach if it does occur. These cloud providers are able to invest more time, money and expertise then any single company can do alone and share the benefits across their client base. Despite these advantages, there are still corporate challenges and concerns when it comes to cloud security, but now is a good time to challenge your on-premises teams to see how they match up to what’s out there in the Cloud.
Could your investment in security actually be enhanced by using the Cloud?