There are a number of myths about public cloud security that, if believed, can prevent businesses adopting the cloud and benefiting from the advantages of cloud computing. We debunk five of the most common myths about public cloud security - including the one about there being more data breaches in the public cloud.
In December 2010, the Federal Chief Information Officer Vivek Kundra gave a presentation introducing the government’s new “Cloud First” policy. The policy had the objective of cutting federal waste and increasing departmental efficiency by mandating that each agency migrate a minimum of three projects per year to the public cloud.
The policy was received warmly by some departments, but not by most. Concerns over management challenges, legacy system compatibility and Service Level Agreements resulted in some “low-hanging fruit” (i.e. email systems and collaboration tools) being moved to the cloud, but little in the way of elaborate, mission oriented systems.
The biggest obstacle to Cloud First adoption was public cloud security. Many departmental CIOs raised the issue of storing data in the public cloud and struggled with understanding CSPs’ shared responsibility models. Kundra argued that companies like AWS and Google can attract cloud security personnel of a higher standard than many governmental agencies, but the concerns rumbled on.
The Concerns Develop into Myths
Due to a lack of understanding about how public cloud security works, many of the concerns developed into myths - not only in federal agencies, but in the private sector as well. One of the “best” myths at the time was that adopting the public cloud would put systems administrators and IT professionals out of a job. You don’t hear that one anymore.
However, despite public cloud adoption increasing, some myths continue to circulate. These can dissuade businesses from moving to the cloud and benefitting from the scalability, flexibility, and cost-efficiency offered by cloud computing services. The following are some of the most common myths about public cloud security you still hear today.
“The lack of physical control over our data makes our data insecure”
The physical controls applied by Cloud Service Providers are far more advanced that most on-premises infrastructures. Cloud Service providers spend countless hours considering potential threats when building their data centers and they design, implement, and test top-of-the-class controls to ensure their systems counteract any risks.
“If you don't connect to the public cloud, your data is less at risk”
So many services now run through public clouds, making it impossible to be in business and not connect to a public cloud via the Internet. Additionally, the location of data is irrelevant when discussing public cloud security risks. Research shows a failure to apply effective security best practices is the primary reason for data breaches - not where the data is.
“Single-tenanted private clouds are more secure than multi-tenanted public clouds”
Data stored on single-tenanted private clouds and multi-tenanted public clouds have the same level of physical perimeter security, and multi-tenanted public clouds use logical content isolation to prevent two sets of devices which share the same network infrastructure from communicating with each other. So, the actual security is the same.
“Public cloud providers mine enterprise data”
This public cloud security myth is completely unjustified and easy to debunk. Public cloud providers have services such as AWS CloudTrail, will provide an indisputable audit trail of every activity on the business’s public cloud. You also have to ask yourself why public cloud providers would risk their reputations by breaching customers’ trust.
“There are more data breaches in the public cloud”
In 2017, this public cloud security myth was demolished by an IT security vendor who analyzed vulnerability scans from more than four thousand customers. Over the eighteen months of research, it was found that businesses operating in an exclusively on-premises environment were more than 50% more likely to experience a “security incident” than businesses operating exclusively in the public cloud.
Let’s Look at that Final Public Cloud Security Myth in More Detail
The IT vendor classified a “security incident” as any incident that was confirmed as a valid security threat and warranted further investigation, analysis, and response. On-premises environments were found to be more susceptible to malware and botnets; but surprisingly businesses operating in private clouds and hybrid clouds also experienced a higher volume of security incidents than public cloud users.
The conclusion drawn from the research was that businesses operating in hybrid clouds experience more security incidents because of their increased attack surface; while businesses operating in on-premises environments and private clouds experience more security incidents because they’re not so security conscious - due to believing there are fewer security risks than in the public cloud.
By comparison, businesses operating exclusively in the public cloud did have concerns about data security, but put measures in place to address their concerns. Possibly the existence of public cloud security myths influenced the businesses to understand Cloud Service providers’ shared responsibility models and take more care about the assets they were deploying.
The Security of Data in the Public Cloud
As mentioned earlier, the failure to apply effective security best practices is the primary reason for data breaches - not where the data is. So, data is no more or no less secure in the public cloud than anywhere else. The real issue is how businesses protect their data against loss, theft, or unauthorized access. That’s what really matters.
CloudHealth can help businesses better protect their data in the cloud by providing total visibility of their cloud-based assets. Our cloud management platform constantly monitors our customers’ cloud environments to identify vulnerabilities and threats that could result in a security incident, so that IT managers can proactively address issues rather than reactively respond to them.
If you would like to know more about how CloudHealth can enhance your business’s public cloud security, our team of cloud experts will guide you through CloudHealth’s “security as a code” principle, which you can take advantage of to gain a deeper view of issues such as access controls, network security, application vulnerabilities, and data integrity.