Cloud has seen great adoption across a variety of businesses and government agencies for some very good reasons. The cost benefits and agility of the cloud are compelling business reasons that have driven many customers away from on-premise data centers and towards the cloud. While we are still in the early days of this journey, customers are moving at a varied pace when it comes to cloud adoption. While there are a variety of reasons this is happening, what we hear the most from our customers is that security is the long pole in the tent for cloud adoption. Fear of increased risk, compliance worries, and lack of understanding all mount to make it difficult for many customers to make the cloud journey. While this is a commonly held perspective, we would assert that it is fundamentally wrong. In fact, we think security is the #1 reason companies and government agencies should be going to the cloud.
We realize this view may seem counter-intuitive. Cloud feels like loss of control, your data is outside of your data center, the safety and security of locking everything behind your firewall feels violated, and the shared responsibilities are confusing. In addition, the amount of new paperwork and approvals required in high compliance environments can be overwhelming to think about. To help get your mind around this, we offer the following arguments in favor of cloud computing security:
Incentives
The first reason to go cloud may be the least obvious because it is not technical. Nearly every cyber security program that we have seen considers itself chronically under-funded relative to the growing threats in cyber space. Consequently, they are unable to keep their on-premise environments modernized and secured with the latest technologies. Money usually does not flow unless there is a cyber event that requires new investment to mitigate this risk and make the pain go away. The result is that a cyber event on-premise is a revenue generating event for most cyber programs (though not usually a source of fun for the CIO or CISO).
The cloud incentives are the exact opposite. The cloud model is fundamentally built on trust. If the core system is compromised, all of the customers will lose trust in the platform and revenue will fall dramatically. Consequently, the cloud providers have much stronger incentives to invest in securing their infrastructure since any major security event is unacceptable. Like any good business person, you can look at how the incentives are aligned to predict with high confidence where performance will be higher. In this case, there is a clear and compelling advantage for cloud.
Access to Talent
Another major advantage of cloud providers is their hyper-scale and global nature. Because of their size and capitalization, they are able to attract, recruit, and retain the best talent. This is especially critical in the cyber security market where the demand for cyber talent greatly exceeds the supply. The consequence of this situation is that Amazon, Microsoft, and Google are able to consistently recruit the top talent where most companies could not compete with the salaries, job opportunities, and benefits these companies can provide. The result of this disparity is that the cloud providers have better cyber talent than most other companies could match.
Homogeneity
One key to detecting anomalous behavior on your network is to understand what is normal. While signature based detection methods have been in the mainstream for years, anomaly detection is the new frontier. While there are many machine learning and other approaches that can be applied to this problem space, it is always easier if you can establish a normal baseline to get started.
On premise, this is not an easy problem. Data centers are full of special snowflakes that have been built over the years to a variety of configuration management standards. Therefore, chaos is the most likely normal. In contrast, the cloud employs ruthless standardization to lower costs and to improve automation. Another consequence of that standardization is the ability to establish a known baseline for normal. When combined with the telemetry (to be discussed later), this is a powerful combination that gives the security advantage to the cloud.
Telemetry
Another major advantage to cloud is the fact that it is software defined. Unlike on-premise data centers that rely more on appliances and agents for monitoring, the cloud is software defined and collects much richer telemetry on the events occurring within the environment. The result is that more events can be monitored, issues detected faster, and root cause is easier to diagnose. All of these benefits lean towards cloud for security.
Micro-segmentation
A growing trend in security circles is to move away from flat/open networks and towards greater segmentation. While this can be done on-premise with products like VMware's NSX, it often involves re-architecting solutions, dealing with a mix of software-defined and physical infrastructure, and inability to understand interconnections between legacy applications and end users in a way that allows segmentation to be done with confidence.
Conversely, cloud is micro-segmented by default. The Software Defined Network (SDN) is a core feature of all of the major cloud platforms with default deny security. Security can be as granular as desired or supportable by the client (with rich telemetry provided for monitoring). This is another area where cloud security is significantly better than on-premise by micro-segmenting to minimize attack surface.
Availability
Another on-premise pain point is around providing high availability. This is often seen in struggling to get capital investment dollars for infrastructure upgrades (power, space, HVAC, etc.) or additional server and network capacity to support Disaster Recovery (DR). These are expensive and time consuming efforts when done on-premise. In addition, many customers may not have adequate geographic separation distance to properly perform DR activities using on-premise data centers.
In the cloud, the infrastructure is massively overbuilt to ensure high availability for customers. This level of redundancy is cost prohibitive for all but the largest companies and agencies. In addition, DR is often just a checkbox or configuration of cloud services to perform. While many security programs focus on confidentiality, availability is a core security function that is greatly enabled by the cloud native tools and services.
Conclusion
Our overall assessment is that the cloud provides a more secure environment than on-premise and that security conscience companies and agencies should accelerate their drive to the cloud. Even if the agility and cost drivers are not pushing the business and all other things were equal, the security advantages are numerous and compelling enough on their own to start your cloud journey. This advantage will only grow as new machine learning and AI capabilities for security launch in the cloud (many with no on-premise alternative). The key is not to get left behind in the Digital Transformation movement by accelerating the innovation wave that cloud promises. We hope this short article helps you get your CIO/CISO on board with cloud and accelerates your digital transformation efforts.
Interested in learning more about accelerating your security journey in the cloud, contact us to find out more about how C2 Labs can help.