Mon 24 Feb 2020 10:19
Some Clarity on Public Cloud Cybersecurity
Some argue yes. Eplexity calls cloud computing "an established best practice for businesses" and claims "your data is typically safer in the public cloud than in an on-premises data centre". In 2016, Sara Patrick of Clutch, guest-writing for Tripwire.com, claimed to have "four reasons why the Cloud is more secure than Legacy Systems" In 2017, Quentin Hardy of the New York Times claimed that cloud data is "probably more secure than conventionally stored data." In 2018, David Linthicum, writing for InfoWorld, claimed "your information is actually safer in the cloud than it is in your own data centre".
One reason given for the claim is that public cloud providers offer greater
technical expertise than what is possible on-premise. Eplexity writes:
Unless your company is already in the business of IT security,
spending time and effort on securing your on-premises data distracts
from your core functions. Most organizations likely don't have a
robust, experienced team of cybersecurity professionals at their
disposal to properly protect their on-premises data.
... As such, cloud providers may employ hundreds or thousands of
developers and IT professionals.
This is an argument from size and scale. Cloud providers are bigger than you,
and have arguably more IT expertise than you, so they can do a better job
than you. But sadly, size and IT expertise is no guarantee of security. Yahoo
was a large Internet company, valued at one time at $125 billion.
It employed thousands of developers and IT professionals. Yet it was subject
to a cybersecurity breach of three billion user accounts in 2013/14; the
breach was not disclosed until the fall of 2016, and the full impact was
not known until october 2017. The damage to Yahoo's business was significant:
Verizon acquired Yahoo in 2017 for less than $5 billion, a deal that was
nearly derailed by the disclosure of the breaches.
I think we must conclude from the Yahoo story that size and expertise alone is no guarantee of cybersecurity. Naturally, major cloud providers like Amazon, Microsoft and Google are aware of the Yahoo situation and its consequences. No doubt it illustrated for them the negative impact that a major breach would have on their business. I cannot imagine that they would take the threat lightly.
Yet there have been close calls. Microsoft, a major cloud provider,
in December 2019 accidentally disclosed to the world a cloud database
on Azure with 250 million entries of customer support data. Happily,
a security researcher spotted and reported it, and Microsoft fixed it soon after. Moreover, Zak
Doffman, writing for Forbes, reported in Jan 2020 that Check Point Software
Technologies, a cybersecurity vendor, had discovered in 2019 a serious flaw
in Microsoft Azure's infrastructure that allowed users of the service to
access other users' data. While Check Point reported it immediately to
Microsoft, who fixed it quickly, had the flaw been discovered by criminals
instead of cybersecurity researchers, a great many things running on Azure
could have been compromised. Doffman quotes Yaniv Balmas of Check Point:
...the take away here is that the big cloud concept of security
free from vulnerabilities is wrong. That's what we showed. It can
happen there as well. It's just software and software has bugs. The
fact I can then control the infrastructure gives me unlimited power.
In the Check Point research article describing the flaw, Balmas concludes:
The cloud is not a magical place. Although it is considered safe, it
is ultimately an infrastructure that consists of code that can have
vulnerabilities - just as we demonstrated in this article.
What, then, is the right answer? Well, there isn't one. Neither public
cloud or on-premise datacentres are magic, neither are "safe". Cybersecurity
is a challenge that has to be met, no matter where the service is, or what
infrastructure it is using. Happily, this is finally being
recognized. Even Gartner Research, a long-time proponent
of the public cloud, predicting
as recently as mid-2019 that public
cloud infrastructure as a service (IaaS) workloads will suffer at least
60% fewer security incidents than those in traditional data centers, has recently taken a more nuanced view.
In the fall of 2019, this prediction of fewer security incidents in the cloud disappeared from Gartner's website,
and was replaced by this:
Through 2024, the majority of
enterprises will continue to struggle with appropriately measuring cloud
security risks.
Questions around the security of public cloud
services are valid, but overestimating cloud risks can result in missed
opportunities. Yet, while enterprises tended to overestimate cloud risk
in the past, there's been a recent shift - many organizations are now
underestimating cloud risks. This can prove just as detrimental, if not
more so, than an overestimation of risk. A well-designed risk management
strategy, aligned with the overarching cloud strategy, can help organizations
determine where public cloud use makes sense and what actions can be taken
to reduce risk exposure.
So does "public cloud use make sense"? Yes, of course it does, for a great many things. But it's not because the public cloud is intrinsicly more secure. The public cloud has its own set of cybersecurity issues. There is no "free pass". As always, carefully assess your risks and make an informed decision.
