In our series Myth Busters, we are busting the myths surrounding cloud computing, security, and innovation. So, let’s tackle a cloud myth AND a security myth! One of the most persistent myths about cloud computing is that it’s not secure. This myth has kept some businesses from adopting cloud technology, but it’s time to bust this myth once and for all. In this blog post, we’ll explore why the cloud is a secure option for businesses of all sizes.
Let’s start with investment. When I was a CIO, this metric swayed me to trust the cloud. How much do you spend on security? Include both the physical security of your IT assets and cyber security. Add in the cost of your cyber insurance, which by the way, is probably going through the roof. How much do you spend? $100,000? $200,000? More?
A study by Deloitte estimates that mid-sized companies (defined as those with annual revenues between $100 million and $1 billion) spend an average of 0.5% to 1% of their annual revenue on cybersecurity. This would equate to between $500,000 and $10 million for a company with $100 million in annual revenue or between $1 million and $100 million for a company with $1 billion in annual revenue.
I know that for the organization I led, it was far less than 0.5% of our revenue!
How much are the cloud providers spending?
In its 2020 annual report, Amazon Web Services (AWS) reported spending over $1.6 billion on security and compliance in 2019. Similarly, Microsoft has reported investing over $1 billion annually in security-related research and development. Google Cloud has stated that it invests heavily in security, including leveraging machine learning to enhance its security capabilities.
That’s a billion…with a B. Far more than the several hundred thousand most of us spend.
Now let’s look at staffing.
One of the advantages of using cloud providers is that they often employ top-tier security professionals who are experts in their field. These professionals have years of experience and training, and many hold industry certifications such as CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager). Cloud providers also have the resources to attract and retain top talent, which can be challenging for many organizations that may not have the budget or resources to offer competitive compensation packages.
In contrast, many organizations struggle to find and retain qualified security engineers due to the high demand for their skills and the shortage of qualified candidates. This is partly because the cybersecurity industry is growing rapidly, and there is a shortage of qualified candidates to fill the many available cybersecurity jobs. According to Cybersecurity Ventures, there were 3.5 million unfilled cybersecurity jobs in 2021, highlighting the challenge that organizations face in finding qualified cybersecurity professionals.
Additionally, organizations may not have the resources to provide their security engineers with the latest training and certifications or to invest in the latest security tools and technologies. This can make it difficult for organizations to keep up with the latest threats and implement effective security measures.
In contrast, cloud providers invest heavily in their security teams, providing the latest training and certifications and access to the latest security tools and technologies. This allows cloud providers to stay ahead of the latest threats and to implement effective security measures to protect their customers’ data.
Overall, the quality of security professionals employed by cloud providers is often higher than what many organizations can afford to hire on their own. This, along with the other security benefits offered by cloud providers, can make the cloud a more secure option than on-premises environments.
Robust Security Measures
In addition to investing heavily in security professionals, cloud providers have made significant investments in security measures to ensure the safety and privacy of their customers’ data. Cloud providers typically have sophisticated security measures in place, including firewalls, intrusion detection and prevention systems, and advanced threat analytics tools. Cloud providers typically undergo rigorous security audits and certifications, such as SOC 2 and ISO 27001, to ensure their security measures meet industry standards.
Cloud providers typically have more sophisticated and robust security measures than most businesses can afford to implement on their own. Cloud providers invest heavily in security measures to protect their infrastructure and customers’ data from hacking, malware, and cyber-attacks. They also have teams of security experts who continuously monitor and update security measures to keep up with new and evolving threats.
Shared Responsibility Model
The shared responsibility model is another reason the cloud can be more secure than on-premise environments. With the shared responsibility model, cloud providers are responsible for securing the underlying infrastructure, while the customer is responsible for securing their applications and data. This means that customers can benefit from the cloud provider’s robust security measures and expertise while still having control over their own security measures.
In contrast, on-premises environments are solely the responsibility of the business, which may not have the resources or expertise to implement robust security measures. Additionally, the responsibility for securing on-premises environments can fall on a single person or team, making them more vulnerable to attacks.
Regular Security Updates
Cloud providers continuously update their security measures to protect against new and emerging threats. These updates are often rolled out automatically, meaning that businesses can benefit from the latest security measures without having to invest in new security technology themselves. This can help businesses stay ahead of the latest threats, which is crucial in today’s rapidly evolving threat landscape.
In contrast, on-premises environments require businesses to invest in new security technology and tools to stay updated with the latest threats. This can be time-consuming and expensive and may not be feasible for all businesses.
Let’s look at the numbers
Real-world metrics also demonstrate that the cloud can be more secure than on-premises environments. For example, a study by Alert Logic found that cloud environments had lower rates of security incidents than on-premises environments. The study found that 11.4% of on-premises environments experienced security incidents, while only 4.6% of cloud environments experienced security incidents.
Additionally, a study by the Cloud Security Alliance found that cloud providers had a better security track record than traditional IT environments. The study found that cloud providers had a 0.04% chance of a breach, while traditional IT environments had a 0.43% chance of a breach.
Speaking of Breaches
While cloud providers invest heavily in security and have a strong track record of protecting their customers’ data, there have been some high-profile security incidents in recent years.
One of the most notable incidents occurred in 2017 when hackers stole data from Equifax, a major credit reporting agency. The breach was initially thought to have occurred through a vulnerability in the company’s website software, but it was later revealed that the hackers had exploited a vulnerability in Apache Struts, a widely used open-source framework that was hosted on an Equifax server on the AWS cloud.
In 2018, Google revealed that it had experienced a data breach that had exposed the personal information of up to 500,000 users of its Google+ social network. The breach occurred due to a software bug in one of the platform’s APIs, which allowed third-party developers to access user data.
In 2019, Capital One, a major financial institution, announced that it had suffered a data breach that had exposed the personal information of over 100 million customers and applicants. The breach was the result of a misconfigured firewall in an AWS environment, which allowed an attacker to gain access to customer data stored in the cloud.
In these high-profile cases, the vulnerabilities that were exploited were in the customer’s applications or configurations rather than the underlying cloud infrastructure. In these cases, the responsibility for securing the affected systems would fall primarily on the customer. However, the cloud provider would still have a role in providing guidance and support for securing the environment.
Ultimately, the shared security model highlights the need for a collaborative approach to cloud security, where both the cloud provider and the customer work together to ensure the environment is as secure as possible.
The myth that the cloud is not secure is just that – a myth. Cloud providers have invested heavily in security measures, have a shared responsibility model, and offer regular security updates. Additionally, real-world metrics demonstrate that the cloud can be more secure than on-premises environments. Therefore, businesses should not let this myth hold them back from adopting cloud technology. By taking advantage of the security benefits offered by the cloud, businesses can enjoy a secure and reliable IT environment.