"It's OK to move unimportant data to the cloud, but it's vital that anything that must remain secure stay within your corporate data center." That's a commonly held view, and one that assumes cloud security is inferior to data center security.
But it's not the opinion of Andres Kohn, vice president technology and product management at the cloud-based email security company, Proofpoint. "Quite frankly, I think this view is a bunch of crap," he said last week at the InfoSecurity Europe conference in London. In fact, data hosted in the public cloud by a good service provider can and should be much more secure than in any facility run by an enterprise, he maintains. Here are the five main reasons why:
1. Greater (Economies of) Scale
Any cloud provider worth its salt will be storing petabytes of data. To do that successfully involves training or recruiting large numbers of people with the skills required for such a mammoth task. "You need a tremendous amount of operational expertise to manage data at this scale -- a level of expertise that business customers simply don't have in-house," Kohn believes. This expertise can ensure a very high level of security because less skilled staff are more likely to introduce vulnerabilities or misconfigurations unwittingly.
2. More Secure Development Lifecycles
Cloud providers have the opportunity to develop their systems from scratch with security best practices planned for and built into the system from the ground up. This includes everything from the core cloud computing software platform to the processes that are put in place and the monitoring systems used to control them.
3. Continuous Auditing
If a cloud provide is serious about security -- which it certainly ought to be -- it should be auditing, monitoring and security testing all operations on a continuous basis. This has a number of benefits to customers, Kohn believes. Aside from helping to guarantee a high level of reliability, it means cloud providers are able to ensure they are running the latest versions of all the software they use, and that if anything goes wrong or any irregular behavior takes place -- perhaps indicating an intrusion attempt -- they are in a position to spot it immediately and correct it as quickly as possible.
4. Higher Levels of Automation and Repeatability
A cloud computing platform by its nature is designed to carry out a limited set of tasks, while at the same time being highly scalable. To do this requires a very high level of standardization in terms of computing hardware, networking equipment, applications software and operating systems. "This gives the cloud provider a very controlled environment, which is easier to secure," said Kohn. And due to the very high levels of scale that cloud providers work at, they use the principals and practice of automation and repeatability when they implement new systems. "Because of this, there is basically no chance that when we introduce new equipment we miss an important security patch or introduce a vulnerability by leaving the wrong port open by mistake," he pointed out.
5. Stricter Access Controls
One of the biggest security problems for many organizations is the insider threat -- the risk that an employee with access to sensitive systems will use his access privileges to compromise security. But in a large cloud operation, it's less likely there will be single person with overarching privileges, Kohn said. "In our operations, the VP of apps can't access the operating systems, the networking folks can only access networks, and the OS folks can only access OSes. That limits the insider threat very effectively."Of course there's a big difference between saying a public cloud provider should be more secure than your data center and saying that a cloud provider is more secure. If you keep your digital assets in-house, then you know what data center security measures are in place, but if a cloud provider claims to be taking every step to make your data more secure than you ever could, how can you verify these claims?
One answer is to check that your cloud provider has suitable certification -- such as ISO/IEC 27001, FISMA or SAS 70/SSAE 16. And don't just leave it at that: Getting a copy of the certification report from the cloud provider allows you to see exactly what they are doing and how they are doing it. That way you can come to an informed assessment about whether your data really would be safer away from your data center, under the protection of a service provider in the cloud.
Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.