There seem to be two groups of people out there when it comes to cloud security: There are those who believe that public clouds are systemically unsafe, and those who believe clouds are impenetrable.
They’re both wrong. Both of these myths are dangerous, and so they need to die.
Kill this myth: If my data is in a public cloud, it’s inherently unsafe
The thinking goes like this: Because I can’t see it or touch it, others can steal it.
The fact of the matter is that, if you take precautions—that is. spend time picking and implementing the right security services— your data in the cloud will likely be more safe than it was in the traditional system where your data came from.
Think about all those breaches in the news over the last several years. Not one has a cloud near it. Why is that? Well, those who put data in clouds usually take time to implement the right security solution.
Cloud vendors have to do that to stay in business and deal with the fundamental connectedness of their systems. IT organizations have to do that to protect their companies, and they can do so more easily and repeatably when using systems designed to be secure.
By contrast, traditional on-premses systems typically have outdated security and are not proactively operated, so they are more inherently vulnerable.
Kill this myth, too: Public clouds are impenetrable
Nothing is impenetrable, including public clouds that have all of their security capabilities turned on.
Less penetrable does not mean impenetrable, so it’d be foolish to just put your data in the cloud and not worry about its protections. It’s just that you have more assurance that the protections implemented in the cloud will work.
When it comes to public cloud security, you need to be concerned about matching your security requirements to the available security services. That means you should use identity and access management (IAM), encryption, and perhaps multifactor authentication. If you’ve done all that, you’ve done your job.
The big vulnerability is the human factor
However, vulnerabilities still exist—typically in the form of human error: users who share accounts, admins who write passwords on sticky notes, firewalls that are not updated, and all that sort of stuff. Although most security solutions are solid, the security operations are typically where companies fall down, both in the cloud and on-premises.
The degree of your system’s secure depends on your ability to think through and then implement the right security solution, then on your ability to handle your security operations over time.
Cloud security is not black-and-white. It’s neither systemically unsecure nor systemically secure. It’s really a matter of how you approach cloud security, and, dare I say, how much time and money you spend on it.