Cloud security: We're asking the wrong questions

The outcry over celebrity nudes blames a new scapegoat -- the cloud -- for our security woes, but underlying causes run deeper

Cloud computing security lock.

In the wake of the celebrity photo breach, the media is humming with stories disparaging the safety of the cloud. Many longtime cloud critics are crowing, "I told you so!" and waiting for the world to go back to on-premises solutions only.

News flash: 1) the cloud was never touted as being perfectly secure and 2) the cloud will continue to grow and grow. The number of servers in your physical environment will shrink over time. Security doesn't sell solutions -- features and pricing do. Features are cheaper in the cloud.

[ Also on InfoWorld: Nude photos, phone records, NSA data offer essential lessons for admins. | Celebrities get phished, but the cloud gets blamed | Watch out for 11 signs you've been hacked -- and learn how to fight back. | Keep up on the latest threats and solutions for your systems with InfoWorld's Security Central newsletter. ]

The cloud vs. you

Let's address the central question: Is the cloud more or less secure than your on-premises solution?

To get an accurate answer to that question, you'd have to compare your on-premise solution (the entirety of it, including all your relationships) to the security offered by a particular cloud vendor. That's hard to do in real life for a few reasons, led by the fact that most companies don't know the security reality of their on-premise solutions -- and followed by the fact that most cloud vendors won't let you do onsite, direct security auditing of their systems. It's a guessing game.

But in general, in my experience, the biggest cloud vendor services have pretty good security. That is, they have fairly strong physical security, patch their servers, use strict firewall controls, use 2FA authentication for admin access, have hardened configurations and good backups, and largely do computer security better than most of the on-premise solutions I've seen.

To tell the truth, in most cases it isn't even close. For example, with a typical on-premises solution, I have a hard time finding a fully patched server or a directory without dozens of godlike admins -- both terrible security practices.

Special vulnerabilities

Clouds, of course, have unique challenges. They have every security issue, plus more, mainly because cloud providers have to worry about multitenancy, where the compromise of (or by) one customer can lead to the compromise of another.

Services and apps offered by cloud providers are typically come one, come all. Malicious hackers create accounts and start scouring for vulnerabilities. If they get lucky and find a major one, many accounts may be in jeopardy. You can argue, however, that the biggest problems are the unknowns: Clouds are still in their infancy and we're still learning about cloud-specific security issues.

All that said, I find it hard to impugn the overall security of clouds when almost every company can be broken into easily. Let me rephrase that: Most companies are currently, actively compromised.

I've never met a penetration-testing team that didn't easily break into its target within a couple of days. If penetration-testing teams are being paid to break in only once every year or two, why wouldn't the bad guys, who are trying every day, be more successful?

I'm frequently contacted by readers who've not only find out they've been hit by an advanced persistent threat (APT), but ultimately discover that the APT has had access for years -- sometimes for nearly a decade. Often, they discover that other APT exploits also made themselves at home long ago. This isn't the exception, it's the rule ... if you're looking.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)