Probably the biggest concern around cloud I hear over and over again is the security of public cloud services. You have the cloud advocates like myself, telling anyone who will listen that the cloud is more secure—there is more rigor, process, talent, and focus on security in multi-tenant cloud services than in most private organizations. Then you have the IT and security pundits telling you that it is more secure to stay out of the cloud and to not be connected. I also believe that this can be true, depending on your industry and needs.
Truly the most secure posture you can have for cyber-security is to have no connection at all. As my dad says, “I don’t worry about viruses or spam because I don’t connect to the Internet.” Yes, he is a caveman. But for the 99% rest of us, the world is better, connected—our products are better connected and our businesses and organizations are better connected. We have to determine if that connectivity is more securely managed by ourselves or by others.
Let’s discuss two of the largest security threats facing organizations. The first is our employees. Can moving to the cloud protect us from the insecure practices of our biggest assets? Absolutely—and it will do so even more in the future. By moving much of your valuable payload to secure data centers in the cloud, with industry-certified workflow, the latest technology, and cloud-connected security measures, poor user behavior can be mitigated. A secure cloud can provide real-time reputation and protection against unknown actions and reduce the number of attack vectors for any organization. In the near future, machine learning will map user behavior and compare it against usage patterns to ensure security posture has not been compromised. Cloud providers build in many different automated and manual authentication methods that will ensure a root of trust has been created before allowing any actions to occur.
The second largest security threat is the number of vulnerability points in organizations. Networks, operating systems, devices, connections, and applications all have vulnerabilities that require management. And, as we have all heard, this breadth is only going to continue to explode and drive the shortage of security talent. Instead of securing each one of these vulnerability points within their on-premises data center, organizations that move to the cloud shift this responsibility to the cloud providers. Organizations can expect that their cloud service providers are including this in their service—however, it should be agreed upon in the SLA as well as verified through audit. In the cloud, there will be quicker response to newly found vulnerabilities. For example, when Heartbleed was first exposed, many cloud providers had their environments updated in minutes. This in itself will drive better security for any organization’s leaders and allow them to focus on their core business. They will be secure in knowing that their services are secure.
You can see how the potential to provide better security from the cloud is evolving—certainly it is not perfect and has room to mature. We also know that new security concerns arise when moving to the cloud. Take a look at the Cloud Security Alliance’s Treacherous Twelve, which lists the top twelve cloud security concerns. The thing is, I see these twelve as the same concerns for any individual organizations. The difference is that cloud services can focus on protecting against these concerns at scale. And that is really the point—for cloud services to be successful and continue to grow, the focus has to be on providing the most secure environment to customers, which is exactly why we see cloud adoption on such a dramatic rise.