With the constant drubbing of companies by ransomware gangs, IT security should be at the forefront of every executive's mind. Thus far, that hasn't necessarily resulted in action. Chances are, no matter what company you work for, security could be better. And that begs the question: is your environment safer in the cloud, or on-prem?
According to a Gartner study, while almost 70 percent of businesses use cloud resources, the vast majority have only a small percentage of their infrastructure in the cloud. The rest is in either on-premises server rooms and/or co-location facilities. One of the big reasons that companies continue to do this is the perception that security is better in private server rooms than it is in cloud-based offerings.
But is it? Highly unlikely. Especially if your company is an SMB.
Is the cloud actually secure?
When it comes to physical or cybersecurity, it is hard to match the capabilities of the major cloud platforms. Both forms of security are notoriously expensive for any one business, but major cloud providers can offer the best of both worlds because they can spread the cost across a vast array of customers.
In terms of physical security at a data center, beyond the gates and guards at the perimeter, the major cloud providers study both environmental and human risk. They implement multiple layers of protection that include access control, monitoring, and authentication inside the facility. Controlled access at a data center is only available to only a small number of security-screened employees, numbering in the dozens, and they are monitored by cameras 24/7. Client company executives visiting the facilities are rigorously pre-screened for necessity and require a multi-step authentication process. Once on-site, approved visitors are only offered a limited time and monitored, with controlled access. Azure's process even includes biometrics.
From a cybersecurity standpoint, every major cloud provides monitoring, and security alerts are raised by the cloud platform. In the event of a network security issue, they are logged and kept for review for 30-60 days by default. The company is able to export those alerts for long-term storage as needed. Additionally, when a company's systems are moved to the cloud, the company can take advantage of the cloud provider's full IT security suite. This includes a variety of security services that the cloud provider makes available to their clients to assist them in securing their cloud-based infrastructure such as denial of service offering, network intrusion detection monitoring, dashboards, and background processes that review the security posture of the cloud resources, where a cloud environment stands with regard to various compliance requirements, and more.
By comparison, SMBs have limited physical and cybersecurity resources and a limited number of IT professionals on staff. They must handle patching, review security logs, and configure systems for best security practices, in addition to their normal day-to-day tasks supporting and expanding the solutions that the business needs to continue running smoothly. To achieve the same elite security available in the cloud at either an on-premises or at a co-location facility would be cost-prohibitive for most companies, even if management was willing to spend that kind of cash, and they usually aren't.
But what about...
The primary security question SMBs have regarding security in the cloud is whether co-locating services in a cloud with other companies increases risk. The answer to this question is quick and easy: there's no risk. Just because you are co-located on the same physical hardware as another company, there's no connectivity between the other company's environment and your company's environment. If the co-location of services is a worry, some cloud vendors offer you the ability to rent the physical server from them, thus preventing other companies from putting any services on those servers.
Companies also want to know what their biggest risk factor is once everything is placed in the cloud. Once the infrastructure is secure, the answer is employees. People will always be the weak link, even when they don't mean to be. The cloud resources need to be protected so if an employee is compromised, the attacker is inhibited in their ability to damage the organization.
What if I mix and match?
If moving your entire system to the cloud simply for the sake of security isn't possible, but you'd like the security of the cloud, make sure the connection between your on-premises environment and your cloud environment is set up correctly, i.e., with strict permissions. That will prevent infection of your cloud environment if your on-premises environment is ever compromised.
If you must pick which services to move to the cloud for the sake of security, focus on customer-facing ones first. When customer-facing services are left on-premises, those services typically do not have the DDoS and firewall inspection services of cloud vendors, leaving those services easy targets for potential hackers. There's also the increased risk that if a user is compromised, the attack could easily access services on-premises.
Measure twice, cut once
If you decide to move to the cloud, plan carefully. Some questions that ought to be asked of the IT team include:
- Will the cloud provider sign off on any compliance documents which our customers or suppliers require?
- What sort of IT response to a security breach will our company have? What sort of response will our cloud provider have?
- What are the high availability and disaster recovery configurations that will be put in place to ensure business continuity? How will these solutions be impacted by our security configuration?
- How long will out-migration take from our current solution to the cloud?
- How will this migration enhance our security posture?
If these questions cannot be answered with accuracy and completeness, then you aren't ready to complete cloud migration. This does not mean that the company will never be ready, it only means more planning is needed.
But any SMB is better off in the cloud from a security standpoint. The lesson is in the hack on Colonial Pipeline a few months ago. They had four separate, independent, security assessments that exposed multiple fragilities. Cost was the cited reason those issues weren't resolved. So if one of the largest oil companies can't afford ample security, who exactly can, in the age of ransomware?