Breaking Free from a Fixed Mindset: Cloud Security is Better Than Yours

Photo from bluecoat.com

The quote often credited to Henry Ford goes, “If I had asked people what they wanted, they would have said faster horses,” said in response to his invention of the assembly line. People were not expecting the automobile, nor were they asking for it. The steam engine and rail systems around the world provided the sort of long distance travelling that people needed to get to other areas of the country. Lack of suitable roads was one of the largest hurdles that automobile adoption faced at the time, much like electric cars face today with the scarcity of charging stations. So does the public cloud face a similar struggle as the automobile did in the early twentieth century.

Large enterprises, such as Amazon Web Services, Microsoft, and Google, have become the biggest public cloud providers in the world. The draw of using the cloud has enticed companies over the past decade with service level agreements that promise high availability and reliability, lower total cost of ownership by limiting initial capital expenditures, and affordable startup costs that allow new businesses to flourish through speedy launches. Innovation has been happening at record paces. However, the speed of this advancement has not come without its challenges. There have been large service outages in each of the major provider’s systems. Still, this has not thwarted entire companies from being founded and operating in the cloud. Uber is one of these companies that was born in the cloud. Even with major technological advancements and enticing reasons to move to the cloud, the proliferation of one primary argument still prevents complete public cloud adoption: the cloud is not secure.

So what is the cloud? Creative Commons Zero (CC0) license

The cloud is often a confusing concept for non-technical people. Often considered nebulous and without definition, the cloud is simply a network of servers stored in large data centers around the world. The largest cloud providers have many data centers to provide services to customers. The cloud providers handle the essentials by offering services to their customers through: large data center facilities, redundant power, cooling, networking, server hardware, physical security, geographical spread, and connectivity to the Internet. Through server and network virtualization, cloud providers can maximize their resource offerings to customers through multi-tenancy. Another huge benefit of this model is scalability. No longer do customers have to go purchase lots of hardware to run short-term needs of increased horsepower. The cloud provides the ability to spin-up and spin-down resources, including compute, storage, and networking without having to invest in large capital expenditures.

It takes only a few seconds to run a search on the Internet and find an article that claims that the public cloud is not secure. On the one hand, concern for security of the public cloud should haunt every CEO before they place their most critical assets or customer data there. Yet on the other hand, companies often struggle with the idea of letting go of control of their systems and data centers. Clarification is needed to identify this critical distinction: cloud security is different from trusting a cloud provider. Conflating these two issues is common, but it still requires definition. Cloud security is the technological and physical measures that a cloud provider puts into place to prevent the loss, theft, or compromise of a customer’s data. Enormous budgets, highly-skilled security experts, and lots of technical innovation go into providing cloud security. These span from data center design and protection to software engineering and system hardening. Many various aspects come into play when considering securing a cloud infrastructure. However, most of these measures are invisible to the end-customers.

If cloud security is the physical and technological means to protect the cloud, then trust in a cloud provider is simply an idea. Rooted in this generational concept is this idea of trust. According to Adam Hayes of Microsoft, “Millennials appear to be very aware of their data and the need for its security in the cloud.” This does not prevent their generation from readily accepting the cloud. He goes on to say that Baby-Boomers and Gen-Xers are more hesitant to change the way things have been done for decades now: set up servers in a data center and operate from a sense of control. Often, C-level executives have considered the possession of their data and systems equivalent to security. However, this is not the case. Most threats to data security come from the Internet. Attacks through phishing, malware, viruses, trojans, and other types of hacking tools cause a majority of security breaches. Therefore, if most breaches occur over the Internet, then possessing a server does little to prevent that threat.

Consequently, according to Nir Kshetri, “Most cloud providers’ services come with no assurance or promise of a given level of security and privacy,” indicating that cloud providers may reduce their levels of liability through their contracts or agreements. He goes on to suggest that “security and privacy measures designed to reduce perceived risk as well as transparency and clear communication processes would create a competitive advantage for cloud providers.” This assertion is accurate in that the public needs more education about cloud security and the differences between security and trust as it pertains to personal responsibility. Privacy is another big concern for people that dovetails with security. Naresh Seghal, et al., assert that “[i]n addition to accepting the security process, a user may have privacy concerns. Specifically, the more information is required to ensure proper access, the more private information is available to the security checking system,” describing the amalgamation of privacy and security. This complicates matters significantly in that, no longer is the concern simply security, it necessitates private details of real people. Clearly, not every company is ready to move to the cloud, but why?

Interior of “the cloud”: Creative Commons Zero (CC0) license

Innovation adaptation is arguably one of the riskiest endeavors facing humanity today. With the rise of artificial intelligence (AI), author Calestous Juma quips, “Our desire to humanize technology is captured in the humour of this Bradley’s Bromide: ‘If computers get too powerful, we can organize them into a committee — that will do them in’.” On one hand is the possibility of reaching autonomous computer interactions leading to robots or androids truly being useful to humanity and, ultimately, AI. Yet on the other hand is the threat that AI poses. In the movie, The Terminator, the genocidal SkyNet was essentially AI in the cloud. What do scenarios such as cloud adaptation or drone usage threaten? Why are companies so opposed to using these technologies, often citing words such as “security risk” or “breached” to broadly describe the cloud? Juma proposes that the understanding of our own humanity is what prevents technology adaptation. He makes a solid argument with this description.

Juma suggests that people over the past centuries have also shown resistance to technological innovation, including the Ottoman rulers who opposed the printing of the Koran because it would undermine the roles of spiritual leaders. Even farmers saw little practical use for tractors over horses unless they could reproduce like horses. Juma defines this phenomenon as humanity being a risk to itself. Ultimately, if the innovation challenges the current practice or if it supports it, this will define the likelihood of adaptation success. People fearing change stretches back to the beginning of history. Women’s suffrage, the civil rights movement, and the abolishment of slavery are all examples of successful changes for the better. Juma sights the acceptance of the cell phone as an illustration of innovation that was slow to be adapted. Nowadays, one can hardly imagine going a day without their smartphone. In fact, there are now psychological conditions that revolve around technology addiction. Executives needs to see technological innovation, such as the cloud, as something neither they, nor their customers, can live without.

When a company uses the argument that the cloud is insecure, it is simply a result of this fixed mindset. In the next dozen years or so, the cloud will simply become the platform for the world’s technological endeavors, much like roads are to cars. Some innovation simply cannot be resisted. Consider healthcare as it pertains to surgery: advanced robotics will perform many surgical procedures. Whereas some surgeries used to have a high mortality rate, now those same procedures are considered routine and near-zero risk. Maybe this is the type of innovation that people are likely to receive with little resistance, trusting in a developer and an engineer more than a surgeon with a steady hand.

Creative Commons Zero (CC0) license

To combat this stigma, the industry condenses a broad spectrum of security areas in that “security can be viewed as including three functions: Access control, secure communications, and protection of private data.” These relate to who can access the data, how the data is protected during transmission, and how the data is secured while it resides in the cloud. Complicating matters, cloud providers offer the following services: infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). These offerings divide the aspects of security layers between the cloud providers themselves and the customers, causing responsibility to be split among the players. Public perception has been quick to blame the cloud providers for security breaches that occur on their platforms, regardless of who is actually at fault. Suzanne Frey from Google asserts, “This is where we are with the cloud today: we are at that precipice of going from the early adopter phase to the late adopter phase…We are realizing that those [who use the] cloud… fundamentally do a full stack of operations around security and privacy better than on-premises operators can do today.” John Sewell and Andreae Pohlman of Microsoft both said that the security development life-cycle is paramount to Microsoft’s cloud offerings. These cloud providers know more about security and spend more dollars on it than most because the market is driving this. They could not survive in this business model if security was not the number one focus. It would seem to follow that as people believe themselves to be more technically proficient, they would inherently believe that cloud technology is ahead of the curve as it relates to security. This is perfectly fine if things are good. However, when a security incident occurs, responsibility for the loss or compromise often falls on the shoulders of the cloud provider in the court of public opinion.

All the latest security measures in the world cannot protect against stupidity and carelessness. One would not go to bed at night and leave their front door wide open. Yet these constantly-connected lives consistently endure bad decisions. “According to a March 2016 survey by NTT Communications Corp., 77% of decision-makers use a third-party cloud application without the knowledge of their IT department.” This culture of “shadow IT” is becoming increasingly popular. The efforts by a company’s security team become less and less effective as users constantly try to thwart security measures at every turn. All too often, the post-mortem assessment after a breach reveals that patient zero has taken some action that they should not have done. Cloud security is not to blame for this. Constant user education is critical if there is ever to be a shift in public perception away from cloud security and onto the real culprit: us.

In sum, the merger of public perception of cloud security and consumption of public cloud resources is inevitable. Cloud providers are aware of the need to improve public perception as it relates to their security and their trust. As people become more comfortable with technology and they “feel” like they understand security more thoroughly, they need to be educated concerning the details of security as it relates to their own responsibilities. Executives need to ensure that they are comparing what they get from cloud providers and consider this when evaluating their own abilities and resources. It is time to complete the adoption of the cloud and make the 21st century truly innovative. Just as the automobile faced many challenges for acceptance, so does the cloud. Simply put: innovation is what faces the challenges ahead, while the cloud is just the road on which it travels.

The road to innovation: Creative Commons Zero (CC0) license