Banking’s earliest customers were likely wary of giving money to third parties for safe keeping—but nobody now would hesitate to open a bank account. The cloud has undergone a similar transformation over the last two decades, going from a questionable concept to a trusted asset.
With 60 percent of all corporate data now stored on cloud-based infrastructure, there is wide acceptance of the idea that cloud hosting can offer levels of cybersecurity that are equivalent to if not better than those achievable with on-premises or ‘on-prem’ systems. And it is obvious why.
“When you build your own digital estate on site, you're solely responsible for your hardware's maintenance and security,” says Tina Howell, Chief Cloud Officer at xDesign, a web and mobile product developer.
“In the cloud, though, your provider can take a lot of the legwork out of the initial build and set-up of your security,” she says.
“For instance, providers can ensure the physical hardware you're using is secure and compliant, particularly when it comes to compliance with security operations center and HIPPA standards. In some respects, the cloud does offer cybersecurity benefits that on-prem data centers can't.”
“Deploying fresh, up-to-date instances removes the vulnerabilities criminals often take advantage of, and redeploying quickly provides resilience in response to attacks,” he says.
This is perhaps most evident with software-as-a-service (SaaS) products that almost by definition are delivered from cloud infrastructure.
“SaaS providers can have security resources and know-how that a company would find hard to acquire. Plus, they update their applications constantly, regularly adding new functionality to improve the security and usability of their solutions.”
The ability of public cloud computing giants to dedicate massive resources to IT security can create the impression that cybersecurity will be taken care of with a move to cloud-centric operations. However, the cloud does not solve all data security issues.
“The challenge with cloud hosting is that it is intended to deliver to the Internet and therefore presents a larger attack surface,” says Goerlich at Duo. “But by contrast, the challenge with on-premises hosting tends to be the higher number of vulnerable systems.”
Organizations must shift their strategies so security and the cloud can work together when moving off premises, according to professionals. “This is where people get into trouble,” says information security expert Todd Wade.
In a company-owned data center, for example, the company controls the entry points to the infrastructure. “You pretty much funnel everything through key choke points,” says Wade. “With the cloud, these choke points are not there, so your attack surface dramatically increases.”
Similarly, where companies are using cloud-based assets on an infrastructure-as-a-service basis, cloud providers “cannot secure what customers put on their platforms,” Wade says. “It’s up to the customer to secure their tech stacks.”
Because of this, he says, it is important for companies using cloud infrastructure to be every bit as mindful of security as they would with on-premises hosting, albeit that the tools and techniques required might be different.
Ultimately, says Anguera, “The security of applications hosted on premises compared to in the cloud can vary according to different factors, including the type of business, the industry, the types of data being managed, and the company’s ability to manage information security.”
While cloud hosting often offers significant cost benefits over on-prem, when it comes to security “the choice between one or the other will largely depend on the specific needs of each organization,” he says.
“Companies must put into practice an efficient cybersecurity strategy to protect their business and minimize the risk to data, independently of the type of solution they choose.”
Howell at xDesign makes three further recommendations for IT leaders pondering a move to the cloud. “From a macro perspective, you need to ensure that your organization knows its boundaries,” she says. “This means continuously seeking to unearth any blind spots.”
In addition, she says, “you'll need to ensure your team is always trying to build security into your cloud estate, right from the start. In the cloud, security should never be an afterthought, as any retrofitting to plug gaps in your virtual setup can prove costly in terms of time and money.”
Finally, says Howell, “I'd recommend calling in the experts when you're trying to deliver major cloud migrations and optimizations. Cloud is a complex field within the tech canon and, unfortunately, it's one that some senior technologists can underestimate.”
Cloud technology providers and their partners are keen to offer help, she says. “In the long run, it will minimize the cost and time you spend, whilst ultimately ensuring your risk profile is minimized.”
Ultimately, says Duo’s Goerlich, “Ownership is not a security control. Hosting is not safer because it is owned by the organization, nor is it safer because it is delivered by a cloud provider. The driver for safety is resilience, automation, and architecture.”