Corporate IT continues to argue that public cloud security cannot be trusted. They believe, mistakenly, that they can keep data more secure than the public cloud.
“We live in a world where data center breaches are in the headlines almost monthly, much to the consternation of corporate IT — the same corporate IT that fears the public cloud due to fears around data security. The truth is that the public cloud is more secure than the typical data center, and IT would get better security if it got past its prejudice against the cloud,” says David Linthicum, in his recent article.
Because IT manages its own data resources, it believes it’s doing a better job than other people might, says Linthicum — especially those people at those cloud services where security practices are opaque. But it’s simply not true. Cloud providers have better security mechanisms in place and are more paranoid — and attentive — to security risks throughout their entire stack.
What public clouds bring to the table are better security mechanisms and paranoia as a default, given how juicy they are as targets. The cloud providers are much better at systemic security services, such as looking out for attacks using pattern matching technology and even AI systems. This combination means they have very secure systems.
It should be no surprise that the hackers move on to easier pickings: enterprise data centers. The on-premises systems that IT manages is typically a mix of technologies from different eras. The aging infrastructure is often less secure — and less securable — than the modern technology used by cloud providers simply because the old, on-premises technology was designed for an earlier era of less-sophisticated threats. The mixture of different technologies in the typical on-premises data center also opens up more gaps for hackers to exploit.
The public cloud has the advantage of being less complex and not dependent on older technologies. At the core, it’s a more secure platform.
The Navatar View
Corporate IT doesn’t agree. Here is an example of what an IT security expert had to say:
“As a communications programmer, I tell you that most customers have not fully realized the risks inherent in the current implementations of multi-tenant cloud computing. Those can be cleaned up eventually, but they CAN NOT BE CLEANED UP COST EFFECTIVELY. The encryption required means non-trivial CPU usage. So, you’re faced with either doing whatever you’re doing insecurely, or doing it with dedicated hardware. The multi-tenant, elastic model is simply broken from a security and efficiency perspective.”
CPU power is cheap so the entire argument falls flat. Nevertheless, these kinds of arguments sometimes influence financial services organizations into keeping their data in-house, even though they are breached constantly (just look at how frequently your credit card gets compromised).
If big banks cannot safeguard their data, imagine what choice smaller financial institutions have. There is no way an organization with a few hundred people or less (with a small IT team) can build the level of data security that salesforce.com or amazon can.
We agree with Linthicum – “cloud providers have done a better job, both because they have to and because their newer technology makes out easier for them to do so. IT should be taking advantage of that cloud security focus, not ignoring it.”