Today’s companies are understandably concerned about securing their systems and their employees’ and customers’ data; unfortunately, however, that concern is slowing the adoption of shared computing tools and techniques, which are commonly referred to these days using the “cloud” buzzword. Within this article, I’ll illustrate that there is no measurable difference between the level of cloud security that can be afforded within well-configured cloud-based solutions and the level of security that is typically provided for and within most companies’ internal networks.
First, let’s look at a high-level list of the tools that are used to secure computer networks today:
Thus, in a typical organization, the highest level of security one can reasonably expect is a secured VPN connection – aka an SSL-encrypted connection to a corporation’s private, internal computing resources – using two-factor authentication. In order for the security for a cloud-based system to be just as secure, it would have to use SSL encryption with an equivalent key length as well as employ two-factor authentication. Is two-factor authentication offered by today’s cloud computing vendors? Yes!2 This means that it is easily possible to provide the same level of security against external attacks for cloud computing resources as it is for internal corporate resources. If an organization is pushing back on making a cloud investment due to concerns about external security, decision-makers should feel confident in questioning their reasoning for doing so and in dispelling any knee-jerk or uneducated position on the same as being based on irrational Fear, Uncertainty, and Doubt rather than an objective assessment of the security options associated with cloud computing offerings.
Now, let’s look at a much more complex area, that of internal security. If two (or more) organizations are using the same cloud-based computing resources, extra care must be taken to ensure that resources from one company can’t access data belonging to another company. The bottom line here is that this is a legitimate concern, and internal security resources should ensure that their prospective cloud computing vendors are using effective tools and techniques to secure their sensitive corporate data. However, when comparing the relative security of cloud computing resources, it’s interesting to note that most corporate networks today are no more secure from “internal” attacks than are cloud-based networks. Why? Simply put, a corporate network is only as strong as its weakest link, which can be a careless or criminally-motivated employee, a renegade wireless router, or an unsecured web server, just to name a few. If computing is outsourced to the cloud, a gamble is being made that the security the cloud computing vendors employ to keep their employees away from a specific customer’s data and their other customers away from that customer’s data is more effective than the security that a company employs internally. Thus, the most important question to ask an internal security team here is the following: Do they believe they are more effective at guarding against internal attacks or compromises of data than the security teams at the prospective cloud vendor(s)? Furthermore, do they have the proof to justify their position? If they take the time to answer the question objectively, the conclusion will almost always be that it’s at least possible that they will be less effective at guarding against internal threats than the leading cloud computing vendors and that an objective study is warranted. Again, question any knee-jerk statement that cloud computing is inherently insecure due to the risk of internal data breaches, and encourage a rational, objective assessment of the level of security offered internally and by any prospective cloud computing vendor.
What has been demonstrated? First, it’s been shown that there is no major security advantage in guarding against external attacks associated with the use of internal networks versus cloud-based networks provided the same level of security precautions are employed. Second, we’ve uncovered the most important basic question that should be asked when comparing the ability of a cloud vendor to guard against internal attacks to the ability of an internal corporate security team to guard against similar internal attacks. Through this article, we’ve effectively illustrated that any blanket, knee-jerk generalization that cloud-based computing is inherently insecure is tantamount to irrational Fear, Uncertainty, and Doubt. Companies should approach the move to cloud computing with care, and they should consider it along with their other options while focusing on Cloud Security. However, they should not dismiss such a move due to generalizations based on Fear, Uncertainty, and Doubt. If they do, they may fall behind in the race to establishing a more cost-effective, capable, and competitive business through the cost-saving benefits of cloud computing as a result.