You are sitting with your IT guys and you raise the idea of putting some applications in the cloud. What is almost always the first thing you hear? “Well, you know we can’t assure you it will be secure. Better make sure it doesn’t have any of our proprietary info in it and heaven forbid, make sure there is no personal identification data put in there.”
For years, the concept of cloud has rankled the security nerves of IT practitioners used to running applications on premise or in colocation data centers. Locked cages, badged access control and uniformed guards gave a sense of security that seemed to be absent from the cloud. Among the complaints: you only vaguely know where your data resides, you have to trust the providers that their security controls are up to snuff and how are we going to satisfy the different compliance regulations. It’s enough to give you the willies.
In reality, this is a myth. The cloud is actually more secure than a traditional data center. Now a recent survey of large enterprises shows that the smart money has tumbled to the facts. Of those IT leaders interviewed, 21% indicated that they saw security as the primary benefit. Overall, security was just a hair behind “increased efficiency” as the top benefit.
Let’s explore why people first worry about cloud security and then dig into the reality. (Thanks to INetU for the following.)
Myth #1: The closer you hold the data, the easier it is to protect it
The truth is that the average enterprise and midsize business can’t keep up with all of the security controls necessary to protect data in-house. Consider this data from another recent survey: more than 68 percent of organizations do not use role-based access control; more than 67 percent do not do security risk assessments and close to 75 percent don’t do any kind of asset management.
Whereas security is a tertiary activity for most enterprises, it is a core business function of a cloud provider. They typically invest in the strongest forms of physical security, network security to detect malicious attacks, along with configuration and vulnerability management to maintain the least amount of risk possible for the data they’re tasked to protect.
Myth #2: Cloud environments make compliance difficult
Worries about IT compliance can be a big impediment for cloud adoption. But, if security and compliance are the big concerns, cloud providers may actually make compliance audits easier for customers rather than harder. The leading cloud providers all have current certifications for PCI, HIPAA, SOC, FedRAMP, etc. These providers deal with audit conditions day-in and day-out. Compare that to an organization that only deals with audits annually – that’s a huge advantage.
Myth #3: Physical custody of IT infrastructure better guarantees physical security of those assets
Many enterprises and midsize businesses lack the resources to build out and maintain up-to-date capital investments in physical security. Most organizations today depend on old and outdated door badging infrastructure that is easy to hack.
The data centers of cloud providers rely on multiple forms of authentication for physical access. This can be a combination of authentication identifiers for access such as, pass codes (something you know), biometrics (something you are), and a security card (something you have).
Because providers take care of sensitive data, they also regularly allocate money for updates of their physical security infrastructure. They conduct rigorous penetration testing of environments, not just scanning; to make sure social engineering and other break-in attempts don’t put physical locations at risk.
Myth #4: When you put data in the cloud, you’ll never know where it is being stored
This is an old complaint from the very early days of cloud. Most providers today can offer guarantees about where exactly your data resides, especially in light of national data privacy rules. Sometimes this is a big step up from how an organization currently keeps track of its sensitive data in-house. One survey showed that 67 percent of executives did not know where all of their sensitive corporate data resides.
Myth #5: Access control is easier to employ on premise than in the cloud
Security-aware organizations frequently avoid the cloud because they worry that they will be unable to protect cloud-based applications with the same level of access control as their on-premises applications. However, cloud-centric identity and access management (IAM) has come a long way. There are plenty of cloud IAM vendors available to help centralize management of disparate cloud applications and infrastructures.
The Truth About Cloud Security
Clearly, the truth about cloud security is that keeping data on-premises is more risky than keeping it in the cloud. Cloud providers offer higher levels of security because it’s a core competency. Businesses more concerned about bringing their own product to market may not have time or resources for thorough controls and may miss a lot of security best practices along the way. However, because customers, regulators, and business viability demand secure storage of the data on a cloud environment, cloud providers dedicate teams who work on security and compliance as their full-time responsibility.