Looking back in time, I mentally divide articles on cloud security into two general “waves.” The first, from the early days of cloud, are those that looked at the shared, public nature of what Amazon was selling and said “the cloud is not yet secure!” In addition to the very idea of shared infrastructure going against everything the security industry was trying to achieve, there were also some quite valid concerns that potential customers needed to know about. Server-based network switching could theoretically be exploited to gain access to VMs that weren’t assigned to you, for example. Data stored in the cloud was not always securely wiped off before the storage space was assigned to new customers, and that made headlines when customers found they could recover information from previous users of the space. CSOs were legitimately concerned about jumping into cloud services too quickly, often citing the need to comply with government or industry security standards like PCI DSS, HIPAA and FedRAMP. The takeaway? Cloud was less secure than your own data center.
The second wave of cloud security articles came after the leading cloud providers began publishing long lists of standards that their customers had, in fact, complied with, along with a commitment to support that compliance going forward. The early technical and procedural difficulties were now in the past and relegated to a bin labeled “growing pains.” At that point, the narrative morphed into something new. “All one has to do is look at what the public cloud behemoths spend on security to know that they can achieve far more than your own, sadly underfunded security operation could ever hope to do,” everyone seemed to say. That narrative is still with us today, showing up in security articles and as casual mentions in more general guidance on cloud services. The takeaway? Cloud is more secure than your own data center.
Both of these narratives are false.
They are false because they are dramatic oversimplifications. Worse, they are actually damaging the quality of critical business decisions being made right now. Here’s what’s wrong with them:
- They don’t specify what is meant by “cloud.” Amazon, Microsoft, Google, IBM and all the rest do not secure their cloud infrastructure in exactly the same way. Securing technology assets is way too complex, and security designs are way too proprietary, for that to happen. Data centers are not located in the same places, which means vulnerabilities to disasters or physical incursions vary, as do the political, economic and legal risks associated with the various jurisdictions that cover them. Is that public cloud or private cloud? Because things like auditability and penetration testing are often far more limited when you’re using infrastructure that might be shared with other customers. On-site or off-site? Because if the assets are off-site you’ve almost certainly increased your attack surface by creating an interface with an external entity that has to be trusted, and that entity also has interfaces between your service infrastructure and its corporate network. SaaS providers often use 3rd parties to host their infrastructure, which means you may have added multiple interfaces to your attack surface. Major cloud providers do have world-class security implementations. They have the money to invest, and they know the risk to their business represented by the threat of a well-publicized breach. They better, because they’re also more enticing targets than you would be on your own. Data thieves would love to find a way to get into all the data stored on a large provider’s infrastructure. When thinking about the potential for a criminal act, you should never fail to consider motive.
- They don’t specify what’s meant by “your own data center.” Who are you? If you’re a small business that has your data center in someone’s converted office and an IT staff that you can count on your fingers, then yeah, large cloud providers probably have better security than you do… as far as it goes. Just remember that OS patches and any interfaces outside the providers’ facilities are usually your responsibility, like the management console that you use to manage cloud resources. What happens when the administrators that can access that console leave the company… in a bad mood… because they quit or were fired? Can all of your backups be deleted from that console? I hope not – don’t forget what happened to Code Spaces. Now, if you’re a large multinational with an IT department as big as a medium-sized company that prioritizes security (I’m looking at you, banks and defense contractors), the answer could be different. You need to look very hard at the provider’s security to determine if it’s a step up, a step down or a lateral move with balancing pros and cons. Do you have unique security needs that can’t be met by a service that’s designed for a horizontal market? You might. Do you have vulnerabilities in your own security architecture that haven’t been closed as the exploits continually multiply? You might. The comparison you’ll need to make will depend in part on who the provider is and on which service you’re considering.
- Just asking the question can be misleading. It gives customers the impression that when they move to the cloud they are replacing all of their own security with the provider’s security, and for basic IaaS that just isn’t the case. It’s true that the provider has taken on physical data center security, network boundary protection and monitoring, the hypervisor and other security concerns specific to the provider’s infrastructure. They’ve also put in place all of the encryption and configurations necessary for a cloud service to actually operate But you are still doing your own patching. You are still managing the guest OS and all the utilities and applications. You are still doing your own firewall configuration too, even though that firewall belongs to the provider. Many IaaS customers are still surprised when they find out just how little of their security responsibility has actually been taken on by the provider. Now, if it’s SaaS or a “managed” service like database, the picture changes. The provider is likely to take responsibility for much more infrastructure security, and some of your attention can shift upwards to identity management and authentication. It’s critical to pay attention to what the provider is actually taking responsibility for.
We’ve only scratched the surface of a very complex topic here, but the next time you see an article that says “cloud security is worse” or “cloud security is better,” I hope that you will give it all the attention it deserves, which is none. The whole reason that The Cloud Service Evaluation Handbook has an entire chapter on security is that the security that is best for you depends on your needs, your capabilities and on the characteristics of each particular service. You’ll need to do an actual evaluation, with participation from your security team, to find out what you’re gaining or losing when you move to cloud.