Few would deny that the number of cyber-attacks – whether made public or not – is growing. Today, there are more data breaches reported in the mainstream media, not just the IT media. Cloud security, and IT security in general, are thus high on the corporate IT to-do lists for most CIOs and their teams.
However, cloud security is a peculiar beast, with the average corporate IT organization’s ability to invest in, and to address, cloud-related security threats often hampered by a plethora of cloud security myths. Some of them might be truths while others often FUD – fear, uncertainty, and doubt – deviously created to direct corporate IT purchasing decisions away from cloud.
To debunk the most common cloud security myths, we need to dig deeper into the relative levels of truth and deceit in the following three points.
1. “It’s Safer to Stay On-Premise”
There’s a perception that there are more breaches in the cloud than with on premise, however this isn’t supported by independent security research. There are a number of angles to consider here:
- Research shows that malware is more likely to attack non-cloud systems than those in the cloud, with the route taken by hackers more likely to be through employees, and social engineering, than it is a cloud API.
- In terms of cloud technology, hypervisors and VLANs – which are used on premise as well as in all clouds – are robust technologies that are practically impossible to crack. If there was a technology-related exploit, then it would apply to both non-cloud and cloud platforms.
- Public clouds are also often perceived as insecure because they are “outside the corporate firewall” – but in the age of the borderless network, and with the reduced efficacy of perimeter firewalls, if you are on the network then you have an attack surface, regardless of location.
Another part of the myth is “tenant terror,” which is the phobia of sharing a cloud platform. Or more specifically, the fear of the multi-tenant resource pooling that shares compute, storage, and network amongst non-related tenants. However, this is now a mature approach, which is widely accepted by even the most risk-averse government organizations.
Verdict = Debunked
2. “Cloud Security Is Simple”
Thanks to self-service, cloud security can be perceived as simple. And an IT organization can control their public cloud security policies – including identity and access management – without being reliant on a legion of cloud service provider security staff.
However, these cloud controls aren’t the only important facets of cloud security. Visibility is probably more crucial, and where this gets difficult for organizations is in achieving a view across non-cloud and cloud systems, especially where the systems interact.
This will often lead to the purchase of a security or IT management technology to simplify cloud security. But this solving-security-by-buying-a-product approach can increase rather than decrease complexity – particularly if it’s the introduction of a tool aligned with old IT management practices that are now incompatible with the complexity of cloud.
Verdict = Debunked
3. “I’m Not in Control of My Data with Cloud”
Data sovereignty is a classic cloud myth.
It’s a mix of truth and deceit, and it’s not as simple as ensuring that your data lives in the right region – it’s also potentially affected by the location of the cloud service provider’s headquarters. If you must have your data in a specific region, or in specific regions, thankfully you can usually achieve this with a global cloud service provider – given that the leading public cloud service providers now have data center locations around the world.
However, if these providers don’t have the location you need, then a regional cloud provider might work better for you – but be aware that you’ll then have another service provider to manage and a different service experience to deal with. Also be cautious of regional providers that deliberately play on the sovereignty myth to win your business.
Then the resource pooling nature of public clouds makes storage interesting – in that you don’t control the replication of data. Anyone who believes the “I’m not in control of my data with cloud” myth will see this as a security issue – the concern being that cloud service provider staff will be using customer data for ill-gotten-gain. To alleviate this concern, understand the data-at-rest and in-transit encryption methods used – for which the provider doesn’t hold the keys – and the provider’s standard operating procedures for accessing customer information.
Verdict = Debunked
Then there is the myth that the cloud service provider is totally responsible for cloud security – but that’s another article in itself.