With so many myths persisting about public cloud security, we think it's time to dive into why you are safer running in the public cloud than in an on-premises solution, a hosted private cloud, or a hybrid cloud environment, and provide some advice about taking responsibility for your own cloud security—whatever cloud you use.
In August 2011, Vivek Kundra—at the time the federal CIO of the United States—wrote an Op-Ed for the New York Times. In the Op-Ed he describes how his department instituted a “Cloud First” policy in 2010 after discovering “vast inefficiencies” in the $80 billion federal IT budget. The policy mandated at least three projects for every agency should be transitioned to the public cloud by the following summer.
Looking back over the implementation of the policy Kundra noted that, whereas some departments had embraced the public cloud, others were not so enthusiastic. He commented that the State Department had raised concerns about data security and the risks involved in storing data in the public cloud. Kundra countered these concerns with one of the most popular quotes written about cloud computing:
“Cloud computing is often far more secure than traditional computing, because companies like Google and Amazon can attract and retain cyber-security personnel of a higher quality than many governmental agencies.”
Now, you might think that if the federal CIO of the United States believes the public cloud is safe, everybody else should as well. Right? Wrong. In almost seven years since Kundra wrote his Op-Ed, the debate has continued about whether you are safer running in the public cloud or not - resulting in a large number of cloud computing myths that are quite honestly not too difficult to debunk.
Quite possibly it is the people making these comments that are insecure, not the data. If you study recent high profile data breaches, it is apparent the location of the data is not as important as the security mechanisms (or lack of them) put in place to control access.
Even if that were true (which it isn´t) would CSPs such as AWS, Microsoft and Google blow the trust in their quadzillion dollar businesses just to get a peek at your data? If you have any doubts about this, or concerns about malicious insiders, ask your CSP for audit logs.
Let's see. If you don't connect to the public cloud, you probably don't use the Internet, don’t allow your employees to plug their laptops into your network, and you sure as heck don’t have a BYOD policy. Oh. You do. Maybe it is time to review your data security procedures.
Single tenant private clouds certainly have good perimeter security, but multi-tenant public clouds also benefit from logical content isolation—effectively an additional layer of security designed to prevent inside-perimeter attacks. Another myth bites the dust.
This myth is worth analyzing in greater depth because in 2013 an established IT security vendor identified a noticeable increase in vulnerability scans among both on-premises infrastructures and public cloud deployments. The vendor found that on-premises infrastructures were more susceptible to malware attacks and botnets, but decided to continue analyzing data from four thousand customers to ensure its conclusions were accurate. In 2017, the vendor published the results of its analysis.
Over an eighteen month period from August 2015 to January 2017, businesses running exclusively in the public cloud experienced an average of 405 “security incidents”—incidents that were confirmed as a valid security threat and that warranted further investigation, analysis, and response. Security incidence rates were similar regardless of whether the customer ran in AWS, Microsoft, or Google, or in a public multi-cloud environment.
By comparison, customers running exclusively on-premises infrastructures experienced an average of 612 security incidents, those running in a hosted private cloud experienced 684 security incidents, while those operating a hybrid environment experienced an average of 977 security incidents over the eighteen month period—almost two-and-a-half times as many as the vendor´s customers running exclusively in the public cloud.
The high rate of security incidents experienced by customers operating in a hybrid environment was attributed to the combination of public and private clouds increasing a business´s attack surface. It was also noted that operating across multiple environments could exacerbate the weaknesses in each type of implementation. But what about on-premises infrastructures and hosted private cloud environments? Why did they perform so badly?
One theory suggests that because IT managers believe in myths 1, 2, 3, 4, and 5, they take greater care in securing their data and access to them from any source. It is certainly true that lower incidence rates do not translate to lower risks, so this theory certainly has some credence—although what Vivek Kundra wrote about Google and Amazon attracting and retaining cyber-security personnel of a higher quality might also have something to do with it.
The actual reason why you are running safer in the public cloud has very little to do with the security of the public cloud. It has more to do with how IT managers perceive the public cloud and take a higher level of precautions to protect data by restricting access to it. It may seem illogical, but the evidence would suggest it is true - and not a cloud computing myth!
CloudHealth can help IT managers improve the security of data in the public cloud by providing total visibility of cloud-based resources. Using data from the comprehensive reporting suite and continuous monitoring, IT managers can better identify and manage cloud security risks, proactively analyze security operations, and create alerts for security events.
CloudHealth also provides you with the tools to implement effective access controls and identity management. Using a “security as code” principle, you can apply policies that automatically identify, flag, and escalate misconfigurations - the reason behind many security events - and provide a deep view into access control, network security, data security, application security and audit trails.