In the early days of the cloud, it was taken as a truism that cloud platforms were less secure than the alternatives, including onsite server rooms and data centers. Two factors combined to challenge that viewpoint. The cloud matured and began to implement security features that made it more palatable to enterprise companies and SMEs concerned about security. A huge number of successful attacks and data exfiltrations from company-owned data centers overturned the wisdom that owning the physical servers automatically leads to improved security.
What is a Cloud Server?
A comprehensive definition of what the cloud means is difficult to pin down because the term is used in so many different ways. In this article, I’ll focus on infrastructure-as-a-service, which allows users to deploy cloud servers and related infrastructure on-demand. Cloud servers are virtual machines, simulated servers that run on a virtualization layer called a hypervisor. The hypervisor runs on a physical server — often referred to as a dedicated server or bare metal server.
Each physical server can support dozens of virtual servers: the public cloud is a multi-tenant hosting environment. The multi-tenant nature of public cloud platforms is a major cause of concern for some business IT leaders. Many companies may have cloud servers and data hosted on the same physical server. It makes intuitive sense that multi-tenant systems are less secure than a physical server that’s entirely under the control of a single company.
Experts Agree Cloud Hosting is Secure
But, in fact, multi-tenancy does not introduce additional risks, as Gartner’s security experts have pointed out [source: https://www.gartner.com/smarterwithgartner/three-areas-cloud-security/]:
“38% of companies who don’t plan to use the public cloud cited security and privacy as the main reason.However, companies may be using security/privacy as a scapegoat for fears about relinquishing control over data and a major shift in the status quo of how enterprises are used to operating. ‘There’s been no correlation between security failure and the degree of multitenancy,’ said Mr Heiser [research Vice President at Gartner].”
Yet the idea that public cloud platforms are inherently less secure lingers. The security risk of hosting data on cloud platforms is sometimes thought of as a trade-off organizations must endure to gain the agility, elasticity, and, flexibility of the cloud. This is a misguided way to think of cloud security. For the vast majority of organizations, cloud platforms are radically more secure than on-site server hosting.
The underlying physical layer of cloud platforms is located in enterprise-grade data centers, with security, staffing, and monitoring that most companies can’t hope to match.
If you consider physical security, the best enterprise data centers have access controls that the Mission Impossible team would look at and despair. From multi-level biometric checks and round-the-clock security patrols to state-of-the-art electronic monitoring, these data centers are nigh impregnable.
The same is true of network security. For cloud vendors, security is a core competence. Their business lives or dies on its security reputation, so they invest in the staff and technology required to provide the best security.
The unfortunate truth is that the IT departments of most businesses don’t have the same incentives or resources. Cloud vendors can afford to build truly secure systems because they benefit from the economies of scale inherent in building big and sharing the cost with multiple clients. For a smaller company to achieve the same level of security, the cost would be astronomical.
The fact that a company has complete control over a few servers sitting in a server room or cupboard has little to do with how secure the data on those servers is. To be fair, it should be pointed out that hosting servers in a third-party data center or public cloud platform doesn’t guarantee security either, but it does give smaller companies access to capabilities, hardware, and expertise that would otherwise be prohibitively expensive.
The Public Cloud
Large corporations were slow to adopt the public cloud because they have complex regulatory and security requirements that weren’t met by early cloud platforms. Aware that the enterprise was key to growing the cloud market, cloud vendors made significant investments in security and privacy protections and certifications so they can demonstrate their commitment to security to third parties.
The largest companies can afford to build secure data centers with the relevant certifications and audits, including SSAE 16, HIPAA, PCI DSS, and others — although it’s almost certainly not the most cost-effective option for companies not operating at the scale of Google or Facebook. But the most important point for smaller companies is that the best cloud vendors will give them access to audited, certified, and highly secure data centers for a fraction of the cost of building equivalently secure systems.
Cloud Servers Stigma
So why does the “cloud is insecure” meme remain long after it should have passed into history? It is, in part, because some IT professionals are invested in the status quo. But there’s also the fact that many IT professionals want to control all levels of the stack for which they are responsible. If they can’t see what’s happening with the physical servers, they feel uncomfortable.
That’s understandable, but misguided. Control of an asset is not the same as optimal management of that asset. We entrust many aspects of our lives and businesses to experts. High-quality cloud platform vendors are experts at building secure data centers and networks.
Of course, it’s possible for a cloud vendor to make a mess of things. There are plenty of legacy hosting providers who rebrand as cloud hosting providers and continue to provide the same dubious security they always have. That’s why it’s so important for cloud users to pay attention to the security record and certifications of their vendor, as I discussed above.
Additionally, cloud doesn’t automatically equate to secure systems. The most secure infrastructure can be used to build a woefully insecure platform if the business that uses it doesn’t take security seriously, as we have recently observed with the catastrophic Equifax data leak. In fact, most security breaches have nothing to do with the infrastructure layer — they’re the result of lax security practices, poor controls, and lack of expertise. Culture is just as important as technology where security is concerned.
Cloud infrastructure is the least expensive and most effective route to secure infrastructure available to small and medium businesses. Organizations should do due diligence before putting their trust in any vendor, but most would be well advised to take advantage of the security and infrastructure expertise of a premium cloud vendor.