Which is more secure: the public cloud or on-premises infrastructure?
“Is it more secure to run in the cloud or more secure to run in my data center?” asks John Treadway, senior vice president at consultancy Cloud Technology Partners. “I can do it better. You can do it better… It becomes a religious debate.”
Large enterprises invest a lot in security, Treadway says and so do large cloud providers. “Whether it’s more secure or less secure, [the cloud is] at least as secure as most enterprise environments,” he concludes.
As the cloud market continues to mature in 2016, organizations are more willing than ever to use cloud-based services. At Amazon Web Service’s re:Invent conference in Las Vegas in October, the CIOs of Capital One and General Electric spoke about how they’re gaining tremendous advantage by using the public cloud. Officials from Bank of America and Goldman Sachs admit they too are using cloud services and other emerging technology like containers.
But this question about cloud security remains. A recent survey of 1,500 IT professionals by 451 Research Group found that security, compliance and data sovereignty are the three biggest issues holding back their usage of the public cloud.
So where does the cloud market stand when it comes to security in 2016?
If you ask Greg Arnette if the cloud is more secure than on-premises infrastructure he’ll say “absolutely yes.” Arnette is CTO of cloud archive provider Sonian, which is hosted mostly in AWS’s cloud. The public cloud excels in two critical security areas, Arnette contends: Information resiliency and privacy. Resiliency is the idea of not losing data or letting it be susceptible to corruption. Amazon’s Simple Storage Service is designed for 99.999999999% durability and up to 99.99% availability of objects over a given year. That’s difficult to mimic on premises.
On the privacy side, AWS’s Identity and Access Management (IAM) service allows organizations to impose fine-grained controls on what individual users can do in an AWS environment (IAM integrates with users’ existing Active Directory, or other authentication platforms). AWS also gives users access to detailed logs of all activity happening in an AWS account, providing the ability to audit activity for unusual or potentially harmful activity. “The cloud reduces the surface area of penetration attacks because the entry points into the cloud are very well defined and can be locked down with multi-factor authentication, web-based tokens, limited-time restricted access and other very mature tools,” Arnette says.
To deploy these tools in an on-premises environment would require not only large investments in infrastructure, but teams to manage them too. In the cloud, they can be instituted with a few clicks.
The basic argument from cloud enthusiasts is that Amazon, Microsoft, Google, IBM, VMware and other IaaS vendors spend much more on securing their systems than most organizations are able to do themselves.
Still, Arnette admits there are folks who “look at the world through a different lens” who believe the cloud is less secure than on-premises infrastructure – and it always will be.
Perhaps cloud pessimists have good reason. In 2014 CodeSpaces became a poster-child example of how not to use the cloud correctly. Hackers gained access into the company’s central AWS administrative and demanded a ransom. When it was not paid hackers deleted everything in CodeSpaces’ AWS environment. It was a dark day for cloud security. Some saw it as an example of why the cloud can be insecure. Others used it as a teaching moment.
But there are certain workloads that will likely never move to a public cloud. Some organizations for regulatory, compliance, safety or customer demand reasons require “air-gap,” offline data center operations – meaning no network connectivity into or out of the data center. By definition of what public IaaS is (delivered via an Internet connection) that would not be possible in the public cloud, says Tim Prendergast, CEO of Evident.io, a company that specializes in securing AWS environments. Private IaaS cloud is another story, however.
Most other workloads, even those in heavily regulated industries can, theoretically move to the public cloud. Mackenzie Kosut has worked in health care and finance, and at both jobs has heavily used AWS. “For security it comes down to two core philosophies: Restrict access and encrypt everything,” says Kosut, now head of technical operations at Betterment – an online investment consultancy; he was formerly at Oscar Health in New York. Both have complied with HIPAA and FINRA regulations while running in AWS’s cloud.
Krishna Subramanian, chief operating officer at hybrid cloud storage vendor Komprise, and a former Citrix cloud manager, says tools that give customers the ability to manage encryption keys on their own premises has been a big advancement for security-conscious cloud users. AWS’s Hardware Security Module (HSM) is an on-premises infrastructure appliance that allows users to encrypt data on their own servers then store the keys to the encryption in the HSM, which sits behind their firewall. Only encrypted data is sent to the public cloud and keys never leave the customers’ premises.
Treadway, the CloudTP executive, says the whole discussion about which infrastructure is more secure could be missing the point. “Most security issues are not with the infrastructure,” he says. “They’re with the application.”
When a company gets its users’ credit card information hacked, its more likely that the company’s applications containing the credit card information was the target of the attack, not the infrastructure it is hosted on. “If people really want to invest in security, they should be focusing on the security of their applications, and let Amazon, Microsoft, Google or some other cloud provider secure the infrastructure.”