Why are there so many myths circulating about cloud security?

There is a lot of nasty talk about cloud security solutions on the web. From calling them “inherently insecure” to branding them a as a source of imminent risk, the “folding arms gang,” or CISOs/CSOs in favour of maintaining legacy solutions and the on-premise model, have surely gone to town to cast a cloud over cloud security solutions. As a result, a number of myths about cloud security are spreading though the information security industry. Now’s the time to set the story straight and debunk the top cloud security myths once and for all. 

Myth #1: “Cloud solutions are inherently insecure”

This is the most popular myth surrounding the cloud (and not just in enterprise), and mainly stems from the fact that cloud is a new infrastructure, can be public or hybrid, and has the qualities of being easily accessible and user-friendly. While employees love it, IT teams and network admins shiver a little when they think about the security implications cloud could have on their organisation.

However, beliefs aside, it is  clear that cloud solutions are safer than legacy solutions due to several factors. The first, and maybe the most important, is that the cloud removes the need for manual firmware updates, configuration changes, and penetration testing. When legacy systems are updated, this causes system downtime and creates a potential point of entry for hackers. Cloud solutions, on the other hand, are updated remotely by the service provider and there’s usually no down time during updates. With cloud security solutions, employees can keep up business as usual while hackers are blocked from accessing points of exploitable vulnerability. One survey found that 64 per cent of enterprises consider cloud infrastructure a more secure alternative to legacy systems.

Myth #2: “The cloud is too new to be trusted”

Similar to the sentiments of the first myth, fans of legacy systems are wary of cloud security solutions because they are still relatively new and “innovative.” According this this logic, cloud security solution providers are still working out the bugs, and when it comes to sensitive information and access credentials, it’s too risky to put a company’s “crown jewels” in their hands.

Despite these concerns, the rapid rate of cloud security solution adoption shows that many CISOs/CSOs are deciding otherwise. From healthcare to IT, enterprises small are large are deploying cloud-based security solutions for everything from human resource management to enforcing network security controls. Indeed, one survey found that 70 per cent of organisations (surveyed) have at least one application in the cloud. Another survey found that 90 per cent of businesses (surveyed) in the US use cloud infrastructure. With impressive numbers like these for cloud adoption, it seems that some of the folding arms gang’s arguments are outdated.

Myth #3: Productivity apps are one thing; security is another

Another common argument compares apples with oranges, or the role of cloud-based productivity apps with security solutions. The logic is that productivity apps have positive effects on organisational efficiency, their level of security vulnerability is low, while the same cannot be said of security appliances. Security appliances in the cloud put an organisation’s main value proposition at risk and in the hands of an external organisation that may do what they please with the information. So, while productivity apps like Salesforce and Google Cloud are welcomed tools, taking security appliances to the cloud is an entirely different story.

The major pitfall of this myth is essentially that this is an unfair comparison; productivity apps have one purpose while security appliances have another. Indeed, while the information and credentials stored on productivity apps might be of lesser “security” importance to the organisation, they still need effective security solutions to protect that information and currently, those solutions are also cloud-based. With a cloud-based network access control solution, for example, the organisation can control access to all endpoints, including BYOD, IoT, virtual and cloud applications. With complete visibility into what information is being shared and by who, deploying a cloud-based security solution may in fact be the only way for IT teams to protect information and prevent unauthorised access to assets.

Myth #4: IT teams need to be re-educated to deploy cloud

The idea here is that enough efforts are spent on educating employees about relevant cyber threats that taking the time to re-educate and shift IT teams’ security appliances into the cloud would be too much to handle. IT teams are already used to deploying, maintaining, upgrading and servicing legacy hardware/software systems that a shift to cloud-based security would throw the organisation off.

While no one is saying that all systems need to be moved to the cloud, there is no denying that on-premise appliances, and security appliances, in particular, take a good deal of time and resources to maintain. It’s estimated that each year, organisations devote up to 70 per cent of their IT budget to maintaining legacy software, and that’s just the maintenance. Transitioning to cloud solutions not only helps organisations cut costs, helping them move from capital expenditure on legacy systems to a more realistic model of operational expenditure based on use, but also creates notable benefits for IT teams. Instead of investing their efforts in maintenance, IT teams free up time to engage in more productive tasks that contribute directly to their organisation’s value proposition - such as creating cyber and social engineering education programs. The bottom line is that transitioning to cloud might seem like a pain in the neck at first, but in reality, it is helping organisations cut costs and devote time to more meaningful projects.

Myth #5: Cloud solutions can’t help with compliance

A major source of what is known as the “IT headache” is implementing compliance initiatives and protocols. Legacy systems have done their part in covering the compliance bases, but with their rigid architecture, it’s hard for CISOs/CSOs to keep up with rapidly evolving international and industry-wide standards. That said, fans of legacy solutions don’t believe that cloud solutions are the answer because they are a source of cyber vulnerability that stand in the way of organisations’ achieving their compliance goals.

Yet the opposite is very much true. Cloud solutions, from Google Cloud to Amazon Web Services to Azure, know how important an issue compliance has become and have integrated compliance enforcement and audits into their infrastructure. Of course, this doesn’t mean that organisations don’t have to remain aware of relevant compliance protocols, but it is making it a bit easier to compile reports and stay on track with initiatives. By choosing a cloud-based security solution, CISOs/CSOs are not only relieving a great deal of stress tied to the auditing process, but are doing their part to minimise critical digital business risks.

The (secure) cloud is here to stay

According to Gartner, “By 2020, a corporate ‘no-cloud’ policy will be as rare as a ‘no-Internet’ policy is today,” which is a statement to the progress already made in implementing cloud solutions. In the case of security solutions, in particular, it’s time for CISOs/CSOs to start thinking out-of-the-box (literally) about how they can best make their digital transition. And with cyber threats constantly evolving, comprehensive cloud-based security solutions for access control and risk monitoring are a great place to start.

Ofer Amitai, CEO and co-founder, Portnox
Image Credit: Shutterstock/Syda Productions