Ever since Amazon jump-started the industry in 2006, companies have been moving workloads to the cloud in droves. And for good reason: cloud frees up tech resources for more business-facing activities, shifts spending from big dollar CapEx to more predictable OpEx, relieves the business of the burden of purchasing, provisioning, and maintaining costly infrastructure and software licenses … and on down the line.
Yet, 10 years on, security is still an open question even though, according to Bill Kleyman writing for Data Center Knowledge, " … the reality is that a public cloud environment hasn’t really ever experience a massive data breach." This is good news for an industry whose business model would crumble under the weight of multiple high-profile data breaches.
The reality is, public cloud providers have every incentive to make security a top priority -- right next to up-time and latency. It is also argued by the cloud industry that because they offer hyper-focused solutions at scale and don't have to spread IT budgets around to cover a hodge-podge of multi-generational devices, software, and networking gear, they can spend more time and resources on cybersecurity than many in-house IT shops.
Blogger David Linthicum, a consultant at Cloud Technology Partners, agrees: "What public clouds bring to the table are better security mechanisms and paranoia as a default, given how juicy they are as targets," wrote Linthicum for InfoWorld. "The cloud providers are much better at systemic security services, such as looking out for attacks using pattern matching technology and even AI [artificial intelligence] systems. This combination means they have very secure systems."
Most headlines bear this out. While cloud providers have had their share of high-profile outages, large scale data breaches have not happened (at least none that have been reported in the mainstream press). But most businesses – large or small – don't have high-profile data breaches either. So, given this reality, what cloud security really boils down to is risk. Or, more specifically, risk tolerance. And this must be evaluated on a case-by-case basis. And this is how most companies are approaching cloud.
For highly sensitive workloads, cloud will never be an option. Defense contractor Lockheed Martin, for example, uses lots of siloed, "air-gap" systems and technology for that reason. But for the majority of the work that most organizations engage in every day, cloud is a perfectly acceptable alternative to hosting applications and infrastructure in-house. Hosted email is a great example of this as are productivity applications. Collaboration is a natural in the cloud as is storage.
Even mission critical workloads like ERP and CRM are increasingly going to the cloud, albeit usually to software as a service (SaaS) providers that specialize in the solution under consideration. For non-mission critical but still very important workloads like dev/test or DevOps, cloud has worked quite well; saving companies lots of energy, time, money and resources that otherwise would have gone to standing up and maintaining non-production infrastructure.
When thinking of cloud from a security perspective, buyers also have to consider their internal, existing standards, policies, and protocols and how well those are actually being followed. Even the best defenses fall short if server patching or access policies are not being adhered to – as Sony found out the hard way.
So, the short answer is, yes, time has proven that public cloud is as secure or more secure than any but the most walled-off corporate infrastructure and data. But moving workloads to the cloud encompasses so many issues, that security may no longer be the most important question you need to be asking today.
Read how you can have cloud security on your terms even if your organization is cloud-averse