Surveys by Quocirca and other research firms constantly show that “security” is THE biggest concern when it comes to making use of cloud services. Why is this and is the perception that cloud services are inherently less secure than internally managed ones justified?
There are a number of reasons why cloud raises a security flag. First, it is true to say that there have been problems with the security of certain cloud services; for example Yahoo recently admitted to having around 400,000 email address and passwords stolen; the consumer storage service Dropbox also recently admitted to having login details stolen.
It is easy to understand why such incidents raise concerns, but there is no logic in assuming that the bad practice that led to such compromises are prevalent with all cloud service providers. After all these examples (and others) relate to advertising-funded (Yahoo) and freemium (Dropbox) funding model and are not enterprise subscription services with pre-defined expectations around service levels.
On top of such examples of security lapses, the public internet – the gateway to cloud services – is also the source of many security woes; malware usually arrives via the internet and it is an open highway for hackers. None of this means that services cannot be safely accessed over the internet, but it helps create an atmosphere of general concern, especially amongst the more conservative, remembering the days when IT was largely an internal affair.
Some IT professionals who are protectionists with regards to their own jobs play to these concerns. However, is what they are protecting any better than a well-provisioned cloud service? The truth is probably not; in most cases the perception that cloud services are inherently less secure than internally managed ones is entirely fallacious.
At any level, especially for smaller businesses, it is likely the cloud-based services are more secure and indeed more reliable than those provisioned internally. Starting with data centres; larger cloud service providers are often fanatical about the physical security of their facilities, some not even disclosing locations. Small providers are usually based out of huge co-location centres where the owners are equally keen on physical security. Forget trying the get unauthorised access to a cloud service provider’s data centre, in most cases it just ain’t gonna happen.
What about gaining electronic access? Here, this is down to how well the services are provisioned. It is in the interest of providers of infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) to make sure that only subscribers get access to the base platform services they have paid for. Beyond this, access to the applications that are provisioned is down to the subscriber; the danger of compromise is no different to that with applications provisioned on privately owned infrastructure (which incidentally, businesses are increasingly provisioning in the very same co-location data centres used by cloud service providers.)
Beyond the obvious need to provide access to customers (and customers’ customers), cloud service providers are no less keen to keep malware and hackers out than internal IT departments. In fact, given the damage adverse security incidents can do to reputations, they will give the issue far more attention in many cases. In fact, many will include guarantees around security in their service level agreements – try getting one of those from an internal IT department.
Despite the high profile given in the press to any security incident affecting a cloud service provider, the truth is that most have never had one reported. The majority of reported IT security incidents involve privately managed IT infrastructure or are due to poor practice in the way applications are deployed on cloud platforms by end users and not the cloud service providers themselves. Thankfully, the message is getting across; a recent Quocirca report showed that perceptions around cloud security are improving – about time too.