Irrational Fear of the Cloud
All too often we hear that the dreaded “cloud” is a huge risk when it is used to serve the enterprise, and that on-premise data centers are inherently more secure. The concern is that an unauthorized entity can gain access to the confidential data, be it a hacker, a rogue cloud vendor employee or that the cloud vendor will retrieve your confidential data if ordered to do so by the government.
The fact is that most of the time there is no real basis for this belief — the cloud is no less secure than an on-premise data center, nor is it more secure just because it is the cloud. The inherit fear of the cloud was there since the cloud first emerged, but a lot has changed over the past decade — to a point you can say that the cloud is more secure than an on-premise data center.
Here we address three main irrational fear claims against using the cloud, specifically when it comes to trusting the cloud; there are plenty of real concerns that need to get addressed, regardless of whether the cloud or a on-premise datacenter is used.
Claim 1 — “My information is not safe in the cloud”
As previously mentioned, it is believed that the cloud could be compromised by hackers, rogue employees or under government laws, whereas on-premise data is safe. Many also believe that they can do a better job at securing their on-premise data than the cloud vendor can.
This is a fallacy, and the reason is that this claim holds true to any software in existence, not just the cloud. In its most basic form, even when software is installed on-premise it is still susceptible to the same potential security breaches — it can be hacked, it can contain malicious code inserted by a software vendor employee, and it can contain built-in backdoors that provide access to the government.
If you’re thinking that just because the software is installed in your datacenter and on end user devices then you can better monitor that there is no data theft — think again. It is far too easy to bypass network restriction and other monitoring tools to send out confidential data without ever being detected. Backdooring it into the software itself is one such possibility; secretly tunneling the data through unsuspecting end user devices is another.
You might also think that you are much better at securing your data than anyone else. But consider this: The cloud vendor has probably spent infinitely more resources into security measures that you ever could; not only do they need to protect that data of all of their customers, imagine the damage that they would suffer were they to be breached — they would probably go out of business.
Claim 2 — “Data resides in my datacenter, therefore it’s safe”
Data remains safe within the confinement of the datacenter under the supervising eyes of the enterprise.
This too is a fallacy, and the reason is that data is meant to be consumed by users. Your users access the information from their devices — desktops, laptops and their mobile devices. The data consumed by these devices leave your datacenter, so you end up trusting that the vendors of these devices do not compromise your data.
- Can you be absolutely certain beyond any doubt that Windows/iOS/macOS/Android don’t record the keystrokes of users to steal their usernames and passwords?
- Can you be certain there is no hidden backdoor to enable on-demand theft of data from user devices?
- Can you trust browsers to protect your data?
Right about now you’ll be saying: “Ah, but I have device management software installed on my users devices so I am in complete control!”. But this too begs the same question — can you be certain that the device management software is not compromising your data?
It’s not really fair to compare the cloud with user devices even though both may be hosting data outside of the datacenter; should the cloud be compromised it may lead to a larger data set to be stolen, whereas if a users device is compromised only that users data is stolen. Just keep in mind that if a user was specifically and intentionally targeted for hacking, it’s very possible that all users might be targeted as well.
Claim 3 — “A Virtual Private Cloud (VPC) is still just cloud”
Wrong. A Virtual Private Cloud is a dedicated set of virtual machines with network isolation and separate security measures. Utilizing a VPC to host resources such as servers and databases provides all of the same security of an on-premise data center, with all the power and benefits of the cloud. It is not part of the public cloud — it is part of your datacenter that just happens to reside on hardware out of your physical data center.
If you’re worried that the cloud vendor hosting the VPC has access to your data through the virtual machines, go back and read Irrational Fear 1.
The Reality is Trust
A corner stone of trust is based on cryptography, both encryption and digital signatures. They are a powerful tools indeed, but they have a single point of failure — they are software based, and so inherently, or maliciously, flawed. Remember the OpenSSL Heartbleed flaw?
You can decide not to trust anyone, but good luck trying to write the entire software stack in existence on your own. Even if you could have it all built in-house, are you sure you will do a better job? And what about trusting your employees, maybe one of them is malicious? Food for thought.
The reality is that it all boils down to trust, so much so that the entire internet is based on trusting cloud based services — HTTPS is based on trusting certificate authorities with issuing certificates and host name resolution is based on trusting DNS providers with DNS records.
The question you should really ask yourself is how can you leverage the power of cloud while making sure it stands up to all of your security demands.
Just don’t be afraid to let go of any irrational fears you may still have.
* Co-authored by Nadav Fischer and Yuval Carmel