Rob Alexander, CIO of the large US financial firm Capital One, stood on stage at the AWS re:Invent event and told the audience “We can operate more securely on AWS than we can in our own data centres.”
Why is Capital One confident that the cloud is the best place for their most valuable and sensitive customer data, and for enabling their digital strategy? And why do a lot of industry commentators and surveys still report security as the biggest risk and inhibitor of cloud adoption?
It is a strange dichotomy that is probably best examined through the consideration of a few potential corporate cloud scenarios and misconceptions.
1. IT Security Doesn’t Know What Clouds Are in Use
Cloud surveys, such as those from the Cloud Security Alliance (CSA), report that security professionals are likely to under-report their organisation’s cloud usage. This shows up as a discrepancy between how many applications they think the organisation has in place compared to an audit, such as that by cloud identity systems, which can report that hundreds of cloud applications are in use.
The cloud-security reality: Those ‘unknown’ cloud systems in use are a risk not because they are in the cloud, but because security don’t know about them and are not securing them.
2. IT Security Thinks that Public Cloud Has a Larger Attack Surface Area
A concern that is often reported by IT security is that the cloud increases “surface attack areas,” because it is public and a shared utility system. This belief is ignorant of the fact that cloud networks can be isolated and can use the same configurations in use outside of the cloud (MPLS, virtual private networks, VPNs, multi-factor authentication, and more).
Ignorance about how to use the plethora of security systems available in the cloud will indeed increase the risk, but this is not the fault of cloud providers who are very clear about the shared responsibility model and how to effectively secure cloud systems.
The cloud-security reality: The attack surface area of on-premise systems is underestimated and that of the cloud is over-estimated.
3. IT Security Thinks Data Breach Is More Likely in the Cloud
The main incorrect assumption by many IT security pros is that putting data in the cloud increases the risk of a data breach, as evidenced by studies such as the Netskope and Ponemon Institute survey of IT pros. It is important to realise, however, that these survey are often not a study of the facts, but instead a study of opinions.
The result of such a survey of opinions reveals a belief that data behind a corporate firewall is safe and the cost of breaches in the cloud are more expensive and damaging. The reality is that data breaches usually start with a staff breach, such as a malware-infected employee laptop that also has access to sensitive systems. For instance, the US Department of Health and Human Services (HHS) states that healthcare staff, not hackers, are responsible for 63 per cent of data breaches.
According to the HHS, the top five violations on record, which represent 6.74 million affected individuals from four thefts and a lost disc, are:
|Provider||Year||Individuals Affected||How Data Was Breached|
|Health Net||2011||1,900,000||Portable disk driven stolen from Health Net’s California office.|
|NYC Health & Hospitals Corporation||2010||1,700,000||Hard drives storing health record information stolen from the back of a van.|
|AvMed||2009||1,220,000||Laptops stolen from the corporate office in Gainsville.|
|Blue Cross Blue Shield of Tennessee||2009||1,023,209||Hard drives storing health record information were stolen from an IT closet.|
|South Shore Hospital||2010||800,000||Disk drives were lost when being transported to a contractor for destruction.|
The cloud-security reality: Data breaches are least likely to be due to hacking and most likely to be caused by staff actions or behaviours.
Why the Cloud Is More Secure
A poorly secured system, maintained by staff who don’t follow policies, and with the potential to become infected by malware on devices that access the system is a risk no matter if it is in the cloud or not. Conversely, staff cannot steal disks of data if that data is in the cloud and secured with encryption and access management. The cloud also offers many ways to secure systems, applications, and data with tried and tested methods of monitoring and control that increase security and reduce risk.
In many ways, the cloud has democratised access to leading security technologies and practices, which in the past were only available to organisations with large IT budgets. Examples of such security features available to everyone in the cloud include:
- Data encryption at-rest and in-transit
- Key management systems
- Isolated networks
- Advanced identity and access management
- Detail logging for all resources
- Resource configurations to reduce human error
- Automated resource inspection
To buy these capabilities and manage them on-premise requires significant capital expenditure and the hiring of specialist staff. In the cloud, these systems are already installed, waiting for customers to consume them.
You pay only for what you use, with all the features available for everyone from the self-employed individual to the Capital One multinational bank. And you don’t have to be a security expert to use them, just willing to learn from online guides.
Sarah Lahav, CEO of SysAid Technologies