“The cloud is not secure!”: a management summary
“We cannot store our sensitive data in the cloud, it’s not secure!“. This is a statement I’m confronted with on a regular basis and it’s usually brought up by CIOs or IT Managers which haven’t had much experience with cloud technologies yet.
As a (web) developer, I am convinced that embracing cloud services (especially PaaS) brings great benefits to most companies. In this post I sum up why I think that the “the cloud is not secure” statement is usually unfounded and why “the cloud” is actually more secure than most on-premises systems. Please note that this post is very biased towards Microsoft Azure, but should be applicable to other cloud platforms as well.
Anyway, what you should not take from this post is that moving everything to the cloud will solve all your (security) issues. It won’t.
“The cloud is not secure” – my view of things
Data security is one of the biggest concerns that is brought up in discussions. Here are some facts and questions you should ask (yourself):
They’ve got the experts
The cloud platform of your choice usually has a great number of cybersecurity experts at hand which are constantly working on hardening the platform. Check out the blog of the Microsoft Detection and Response Team (DART) for some insights: https://www.microsoft.com/security/blog/microsoft-detection-and-response-team-dart-blog-series/
Attacks are daily business
Cloud platforms are constantly facing various kinds of attacks. They do threat analysis on a regular basis and already have plans for various attack scenarios. On top of that, every platform usually has an Incident-Response-Team which is experienced in mitigating attacks.
Secure by default
Most Azure services are secure by default:
Let’s take the Azure SQL Server Service for example:
- Transparent data encryption is enabled by default. You can even bring your own key and use hardware security modules
- Vulnerability assessment is fully integrated in the platform
- You don’t have to apply any patches, this is all done for you and on a regular basis, security fixes are patched immediately, and not when your DBA finds the time.
Another simple example is blob storage: Azure blob storage encrypts your data with 256 bit AES by default.
Microsoft Azure offers over 90 compliance certificates:
Physical attacks are nearly impossible. It’s way harder to social engineer yourself into a Azure datacenter than into the one of the local company XYZ.
Also, scenarios where an careless employee causes a ransomware attack which encrypts all your servers are nearly impossible with PaaS services.
Many data centers are a collection of legacy technology that has been built up over the years. Some of them even lack security updates. This is something that doesn’t happen in the cloud (this excludes IaaS of course)
Questions you should ask
The questions I ask the person, that comes up with the “the cloud is not secure” statement, are usually these:
- Is your company working with any cyber security experts? Do you have staff that is specialised in cyber security?
- Do you perform any threat analysis, threat modeling, vulnerability scanning or any other type of vulnerability assessment?
- Did you ever face an incident?
- If the answer to the previous question is “no”: How can you be sure? Have you anything in place that would help you to detect any security policy violations?
- Do you have an incident response plan?
- Does your on-premises data center meet any compliance certification?
- Our cloud apps store blob data 256 bit AES encrypted – is any on-premises app of yours doing any encryption? Do you encrypt your sql databases by default? Do you have any hardware security modules in your datacenter we can use for encryption?
- How often do you patch your servers? Do you install critical security updates when they come up?
Most small and medium sized companies answer almost all of these questions with “no“.
You don’t have any state-of-the-art security measures. Why do you think, that hosting things on-premises will make anything more secure?
It’s not relevant anyway
Real security needs way more effort than setting up a firewall. You shouldn’t worry about infrastructure too much, because the most common causes of data breaches I see are these:
- Weak and stolen credentials
- Application vulnerabilities
- Malicious insiders
- Insider error
Does on-premises-hosting prevent any of these causes from happening? Nope. The cloud doesn’t either, but it can help: Using cloud services like Blob Storage, Machine Learning, Databases, etc. reduces the amount of code developers need to write – less code, means less potential vulnerabilities. It also reduces chances for any attack vectors that come from insecure configuration.
Allowing cloud services should be the first step in improving your corporate security, this forces you to implement other processes like proper credential management and threat analysis.
This post contains affiliate links. Clicking on those links helps me running my blog and does not add any additional costs! Thank you for your help!
I am an Austrian-based Software Architect, Web Developer, Security Enthusiast and IT Allrounder with experience in multiple areas of expertise. I like Microservices, Cloud Technologies and working early 🙂
All views, thoughts, and opinions expressed in this blog belong solely to the author, and not necessarily to the author’s employer, organization, committee or other group or individual.