The great IT myth: is cloud really less secure than on-premise?
As the debate regarding security in the cloud rolls on for the umpteenth year, Information Age seeks a definitive answer
Short of time?
It’s been many years since cloud computing swept onto the enterprise scene, promising a new way of computing supporting an organisation’s infrastructure and running applications.
It’s been a long, hard slog to acceptance, but the same word is brought up now just as regularly as it did all those years ago: security.
Powerful internet-based services rose almost entirely parallel with a whole new world of threats to enterprise data. The result was an association that one does not come without the other – and an irrational fear among IT leaders.
In a recent study of IT decision makers by BT, half (49%) admitted they are ‘very or extremely anxious’ about the security implications of cloud services – an increase of 10% from BT’s previous research conducting in 2012.
>See also: 6 predictions for cloud security in 2015
More than three quarters of the respondents (76%) said that security is their main concern when it comes to cloud-based services and – most alarmingly – 41% believed that all cloud-based services are ‘inherently insecure’.
But is this really the case? Does something leaving an organisation’s physical estate put it in any more danger than it was before?
‘People should associate IT with a lack of security actually,’ says Wieland Alge, VP and GM of EMEAR at Barracuda Networks. ‘Almost all of the massive data breaches we’ve seen of late were within traditional on-premise IT. Sometimes we are too quick in stating that the cloud is an inherently insecure element.’
While that may be the case for large organisations where an employee has done something they shouldn’t have done, hacks into cloud environments certainly aren’t short in supply.
The iCloud hack, which saw the private images of celebrities leaked online, was arguably the most high-profile cloud hack of 2014 because of its impact on the general public. This resulted in widespread news coverage around the risks of using the cloud, which has continued to raise questions around other cloud-based services.
One of the main concerns for organisations is that information stored in the cloud is out of its control. It could invest in the best security tools and have the most complex authentication, but if the cloud platform isn’t secure it is still at risk.
‘This is not only a major concern, but people are actually beginning to lose patience with cloud service providers that do not take the necessary precautions,’ says Grayson Milbourne, security intelligence director at Webroot. ‘Cloud services, whatever they might be, are no longer just competing on price and service – they are also competing on the security of their service.’
Darren Anstee, director of solution architects at Arbor Networks, adds: ‘When data is held internally it is within an organisations own control and they can decide on the level of security to place around that data. Once data moves to a cloud service platform this control is reduced.’’
On or off?
But is data in the cloud really more difficult to protect than on traditional on-premise infrastructure?
Perimeter protection, for one, is much the same. Be it on-premise or in the cloud, both do as good a job as they can to protect from attacks.
But in terms of human risk, which is often the most damaging of all, employees with potentially malevolent intentions will find it more difficult to locate certain data in the cloud.
‘They are physically removed from where the data is stored and don't have the personal relationships with the person who does have access to the data,’ says Matt Davies, senior director of EMEA marketing at Splunk. ‘The argument could be made that the lack of physical access and relationships with people could make data in the cloud more secure.’
Then there is the argument that cloud businesses have more secure IT environments that the organisations they sell to. Why? Because that’s the product they’re selling.
They also face tougher standards. Cloud businesses have to build secure data centres that are independently audited, adhere to standards such as Soc 2 Type II, and are used by hundreds to thousands of tenants.
Add this to the reputational and business damage that a cloud provider would suffer should their data not be secure and it’s easy to see why it’s in their vested interest to uphold high levels of security.
>See also: How to secure data in the cloud
‘We expect to see a hybrid of cloud and on-premise environments in the next five to ten years,’ says Philip Turner, VP EMEA at Okta. ‘There’s no doubt that the weakest link in the security chain will prove to be the on-premise environment.
‘You only have to look at the number of penetration attacks that there have been on on-premise environments to see that statistically it has now been proven that people cannot manage security as well in their own on-premise environment.’
An increase in understanding has certainly helped the case for cloud too. Recently there has been a boost in awareness around the dangers of storing data in the cloud, not due to business services being compromised but due to the media coverage around breaches of social media and file-sharing services.
These events have made a broader range of people aware of the potential problems, helping make the issue truly business critical and putting it high on the agenda of IT departments.
‘If an organisation uses a cloud-based service for a key part of their day-to-day business activity, then any interruption to the availability of this service could be very costly,’ says Anstee.
Security will likely remain one of the key concerns when a company decides to move its data to the cloud, but IT leaders understand now that the level of risk mostly relates to the behaviour and culture of their employees.
Ultimately, companies that don’t have strict policies in place and lack data access controls will struggle to keep their data secure in the cloud.
‘Organisations that follow the right security protocols will ensure that the chosen cloud service provider complies with agreed security standards and policies, and introduces the controls around access to data, setting up processes for backup and deleting data,’ adds Paul Briault, director of security at CA Technologies.
Another thing to keep a close eye on, however, is the new EU Data Protection Regulation, which aims to unify data protection laws to meet the challenges of the digital age and, in particular, strengthen the protection of data in the cloud.
When enacted into law, it will require all businesses handling the data of EU residents to delete personal information on request or when it is no longer required – with data breach sanctions of up to €100,000,000 or 5% of annual worldwide turnover.
With the complex relationships between countries in the EU, this may ultimately end up with each country in the EU mandating that the data of their citizens has to stay inside their boundaries and be subject to local laws.
‘If you look at Amazon's announcement of a German AWS zone, in reaction to German laws preventing storage outside of the country, we’re already seeing governments wanting to secure and ensure data stays inside their borders and under their regulations,’ says Davies.
But that remains speculation for now, and shouldn’t put off organisations from drawing value from the raft of benefits that cloud computing offers.
The main question is how to approach cloud security to ensure they can enjoy those benefits while protecting their data as much as they can. Most of this involves running rigid checks on the provider.
First of all, do they have the necessary security and access control procedures in place? This must go beyond traditional firewalls and include physical elements – like sophisticated surveillance systems – as well as network segregation among the cloud tenants and separated firewall contexts for each environment managed by the user.
Additionally, the use of state-of-the-art intrusion detection and DDoS protection systems can help protect the cloud platform from any unwelcome guests, while advanced encryption should be a common fixture with the decryption key resting solely in the hands of the customer.
As previously noted, the cloud provider must prove to the user that it is able to meet the necessary compliance requirements.
‘Industry standards and regulations, such as the financial services industry’s Payment Card Industry Data Security Standard (PCI-DSS), have very defined and measurable security requirements,’ says Ryan Shuttleworth, director of global product strategy at Verizon. ‘Therefore, for cloud computing to be viable, organisations must ensure that their providers are able to adhere to the same standards and controls that they would impose in-house.’
Finally, the cloud provider should be able to answer any questions the customer may have, such as where data will be stored.
If they are unable to answer these questions definitively, alarm bells should be ringing.
What the experts say
‘Unless there are some other big stories, hopefully things will settle down. As shown above, humans are the problem when it comes to security breaches, and more needs to be done to improve awareness of social engineering. The larger the organisation, the greater the opportunity there will be to get in that way.’
- Jack Bedell-Pearce, managing director, 4D
‘Over the next year, we predict that businesses will start realising that security sitting outside of the IT department isn’t something they should be worried about, but in fact represents a positive change in how security is now being seen more as a business challenge rather than an IT one.’
Rob Norris, director of enterprise and cyber security UK&I, Fujitsu
‘New regulations will encourage educated customers to adopt cloud strategies with greater confidence and will favour providers with a history of understanding data privacy and protection issues. They will help to develop a broader understanding of how to utilise cloud platforms to their best advantage.’
Mark Edge, UK country manager, Brainloop
‘Many companies are blinded by the convenience and ease of access the cloud presents, so are failing to fully consider the security implications that come with this. Over time this will likely change, but not before some companies unfortunately learn the hard way that convenience is not without its risks.’
Peter Tyrrell, COO, Digital Guardian
‘In most cases security fears are overstated, and most should be considered more general risk management than security. Most cloud service providers will implement and manage considerably better IT security controls that internal IT departments.’
Richard Blanford, managing director, Fordway
‘The awareness for cloud security is only going to keep rising. Many companies are looking to the cloud for flexibility and scalability as well as reducing costs. Security should remain the key in the ongoing success and growing use of the cloud.’
Robert Arandjelovic, EMEA security evangelist, Blue Coat
‘You can’t outsource responsibility for security – businesses need to step up and take responsibility for making sure they are adequately protected. This means being clear on the level of security they need, and putting processes and procedures in place to make sure it is put into practice.’
Andy Soanes, CTO, Bell Integration
‘The forthcoming European legislation will change awareness significantly as it will change ownership of the risks of data breach. Companies may be more reluctant to go into the cloud, or they may believe that the regulation will encourage providers to be more stringent.’
- Paul Le Messurier, programme and operations manager, Kroll Ontrack Data Storage Technologies
‘Cloud is not inherently less secure than legacy infrastructure; it just requires some different measures and procedures than on-premises storage to ensure data security and privacy. A multi-tenant cloud may actually be more secure because it makes it difficult to target a particular company or data set.’
- Rani Osnat, VP strategic marketing and customer experience, CTERA Networks
‘Cloud services are not inherently more or less secure than any other device with an internet connection, which all of them are. Cloud companies spend a considerable amount of their budget focusing on security and building specific expertise where legacy systems are usually ignored.’
- Erkan Kahraman, CISO, Projectplace
‘There isn’t much in the way of silver linings when clouds stop working, which they tend to do from time to time. While no doubt you will have put in place comprehensive service level agreements with your providers, these on their own cannot deliver maximum cloud cover.’
Simon Taylor, chairman, Next Generation Data
‘The most justified concern is not of security, but one of trust. Any time an organisation outsources anything, there’s transference of trust from an internal environment, where people are well known, to external providers, where there’s no existing relationship. This trust concern is absolutely valid.’
- Steven Harrison, lead technologist, Exponential-e
Eduard Meelhuysen, VP EMEA, Netskope
‘The UK's cloud industry is pretty nascent, so most UK companies using the cloud are using it somewhere else. Increased regulation could drive more usage to EU based clouds or even spur the growth of clouds based in the UK.’
- Chris Swan, CTO, Cohesive Networks
‘In many ways you should be able to look at cloud infrastructure as an extension to your on-premise systems. With that in mind, the same controls you put in place around protecting access to that data and the security of that data should be made possible.’
- David Parkinson, strategic development manager, Wick Hill
‘Protecting your data is always going to be paramount and it is never an easy task as there are so many risks involved. When talking about on-premise versus cloud, it goes without saying that you are much safer storing your data locally behind your own firewall where you can closely monitor all of the activity.’
- Ian McEwan, head of Egnyte EMEA
‘In one sense the cloud is still a new computing architecture for many so security is naturally thought of as an unknown because of that. However, at the same time, you might argue that there are actual architectural advantages to the cloud that could enable better security.’
- Dr. Hongwen Zhang, CEO, Wedge Networks
‘The Microsoft case against the US government will shape the future of cloud computing. It highlights fundamental issues relating to the legal jurisdiction of the cloud, as well as the difficulties facing single government and legal bodies that try to impose their laws on the internet, a global entity beyond their reach.’
- Nigel Hawthorn, EMEA director of strategy, Skyhigh Networks
‘Security concerns still exist, but more companies now acknowledge the fact that data can, and should be, considered more secure in the cloud than stored on a lot of the costly on-premises infrastructures. It’s cheaper, easier and more secure if they pay a cloud vendor to do it for them.’
- Philip Turner, VP EMEA, Okta
‘Cloud security is a shared responsibility. Customers need to understand what the cloud service provider will address and what they will have to address to protect their assets. CSPs must be able to scale the “best of breed” security capabilities for all their customers regardless of industry.’
- Lenin Aboagye, director of IT Security, IO
‘The layered service model used by CSPs makes it difficult to trace the physical location of data and the controller of the physical location. The data controller, despite the fact that they have total responsibility for the security of the data, does not control any part of the environment within which the data exists.’
- Dr. Wael Aggan, CEO, CloudMask