Cloud security is a hot discussion topic these days. Security is one of the main reasons that many business leaders have been slow to adapt to the cloud. Keeping data on premises makes business and IT leaders feel more secure.
But lately there seems to be a shift—the cloud tipping point has arrived, and more companies are moving to the cloud to replace various on-premises technologies and services.
The truth is that the cloud offers many of its own security advantages—many of which are the same as on-premises storage technologies. Before you assume that the cloud isn’t safe, it’s worth taking a look at what’s available to you and evaluating the risks associated with moving to the cloud—particularly when doing so could provide serious benefits.
According to Corey Louie, the Head of Trust, Safety, and Security at Dropbox, the best solutions will serve as an extension of the network and security infrastructure that you already have in place. When deployed properly, cloud solutions can help SMBs and Enterprises achieve more agility and can help with cost savings.
If we specifically look at one cloud service—let’s take Unified-Communications-as-a-Service (UCaaS), one of the fastest growing markets in communications, the cloud can enable companies to:
- Offload equipment costs
- Shift certain budgeting from a CAPEX to an OPEX model
- Simplify management and cost tracking
- Increase scalability
- Increase IT speed and agility
- Improve disaster recovery and business continuity
There are still those who hesitate when choosing the cloud, which is why it is important to understand what the security threats are, and how to approach security for a cloud-based technology or solution.
What are the risks?
In 2013, the Cloud Security Alliance (CSA) identified “The Notorious Nine,” the top nine cloud computing threats. The report reflects a consensus among industry experts surveyed by CSA, focusing on threats specifically related to the shared, on-demand nature of cloud computing.
These nine threats include:
- Data Theft/Breaches
- Data Loss
- Account/Service Traffic Hijacking
- Insecure Interfaces/APIs
- Denial of Service
- Malicious Insiders
- Cloud Abuse
- Insufficient Due Diligence
Physical theft, employee mistakes (like lost devices), and insider threats are responsible for 42.7% of 2013 data breaches in the United States, according to Privacy Rights Clearinghouse. In another 29.6% of data breaches, hackers broke into data owned by companies and government agencies. Big tech companies, major retailers, and airlines were some among many 2013 victims.
Each year, Alert Logic, an IT services provider, publishes a semi-annual State of Cloud Security report, surveying their customers to understand from where security threats are coming.
The results are interesting:
- An enterprise data center (EDC) is 4x more likely to suffer a malware/bot attack than a cloud hosting provider (CHP).
- EDCs and CHPs are equally vulnerable to a “vulnerability scan” and a “brute force” hack.
- EDCs are 3x times more likely to suffer a recon attack and 4x an app attack.
Cloud providers are 40% more likely to suffer a web app attack and 10% more prone to vulnerability scan weakness than an enterprise data center. In recons, malware, bot, and app attacks, the cloud seems to have less risk than most on-premises technologies.
According to Louie, the takeaway is not that cloud is better but that the risks are manageable. No one—regardless of their resources—is 100% secure.
What are the benefits?
Cloud-based technologies and services are not without their own security advantages. For many cloud service providers, there is a deep commitment to security—perhaps deeper than the media typically portrays. This commitment means a few, quite significant, things:
You get enterprise hardware for a small business price.
With cloud computing, your data is stored on enterprise-grade hardware, equipment that is typically unaffordable for most small and mid-sized businesses. By using the cloud for your business, you are upgrading to safer equipment.
You get more focused security.
For cloud vendors to succeed they need to focus on securing their service. This means that instead of attempting to prevent a variety of more general threats (as your in-house model would require) cloud vendors are free to (and great at) securing the one thing you want protected: your data online.
You get flexibility and agility.
Many IT organizations are stretched thin and struggle to balance day-to-day operations with strategic projects. One of the advantages of cloud services is the speed of deployment. Businesses have the flexibility to rollout cloud services without the IT time, and resource commitments typically associated with a legacy deployment model.
You get professional management.
Using the cloud to store data means that you get trained professionals managing your patch updates and keeping the server’s software up-to-date. Maintenance and support time are reduced since there is no longer a need to plan and implement system updates, and you can redeploy IT resources to more strategic initiatives to help advance the organization.
You get well-funded security.
Investing in top-level security features adds value to individual cloud service providers’ businesses. Investing in this way is a necessity for success. Businesses adopting cloud services gain the opportunity to put someone else’s financial resources to work, which can help take the sting out of security spending.
That deep commitment to security means that cloud service providers have to invest far more in scalable infrastructure and information security than do most organizations. Those investments are quite significant, and service providers will bear that burden for you. They can create economies of scale and efficiencies that benefit you.
Think about it like this: services like Dropbox go above and beyond to protect your data — so that you don’t have to invest heavily in secure systems and servers, constantly consider network and product security threats, submit to in-depth compliance reviews and audits, undergo regular testing against attacks, set up complex logical access controls, and assure data centers have advanced physical, environmental, and operational security measures.