The popularity of cloud platforms has soared over recent years, as businesses everywhere take advantage of the increased flexibility, cost-effectiveness, and apparent data security they offer. According to a recent report, three in five security professionals believe the risk of a security breach is the same or lower in cloud environments than compared to on-premise.
Despite this, however, the cloud may not actually be as secure as people believe. Both cloud and on-premise environments can have equally devastating flaws. Opportunistic criminals are all too aware that many business strategies now tend to favour a shift to the cloud, especially within those organisations – such as large enterprises and government bodies – that they would consider to be high-value targets.
As a result, cloud platforms are being aggressively targeted, and have become key strategic features on the global cyber and information warfare battlefield. The truth is that, although it offers a number of – very real – benefits, the cloud is no safer than on-premise infrastructure, and made less so in migrations that don’t prioritise cyber security.
Visibility and control
Data is, of course, the lifeblood of any business. The intelligence and insight it provides is what gives an organisation its competitive edge. Any conversation around security risks will therefore come down to the protection and control of an organisation’s data, whether on-premise or in the cloud.
So, it’s hardly surprising that, in a desire to retain control over their data, most large businesses simply won’t move it into the cloud. Doing so means they’ll lose visibility of it, which they consider to be a significant business risk. Indeed, apart from the cloud service providers themselves, there are very few £250m+ companies that use the cloud exclusively. Instead, in order to maintain visibility of their data, most organisations operate a hybrid model; part on-premise, and part – mostly public-facing infrastructure – in the cloud.
Ultimately, a judgment must be made, based on the sensitivity of certain data, as to whether hosting that data in the cloud represents less of a security or business risk than hosting it on-premise. But data isn’t only valuable to an organisation’s business operations; it’s critical to its security posture too. Why, then, would an organisation give this data away to a tech giant?
Valuable data is being given away to companies that make their money from data. Doing so effectively enables cloud providers to map out all of the securities and insecurities within that organisation’s network. There’s a reason the cost of cloud is so low; hosting companies are getting far more than just CPU cycles, power, and energy. Fundamentally, to any business, data is value – it has to be protected, and visibility is key to this. After all, once it’s gone, it’s gone for good.
Corporate networks are becoming increasingly complicated, containing elements of both cloud and on-premise infrastructure. Protecting these networks, and the data that flows across them, requires a security infrastructure that both mirrors and is scalable to their growth.
On-premise infrastructure needs to be strong enough and offer complete visibility over an organisation’s data rates both now and in the future. Likewise, a virtual infrastructure is needed that can be deployed in the cloud, and that can be scaled out on demand, to meet an organisation’s changing demands, expansion plans and future data rates, all while still providing full visibility over its data.
Many organisations will utilise the cloud itself in strengthening their security provisions and threat intelligence. When training AI algorithms and machine learning-based anomaly detection systems, for example, organisations will often share threat intelligence data directly into the cloud. Doing so creates a security infrastructure which uses the cloud as central “brain”, from which up-to-date threat intelligence can be derived, and from which they can identify any potential threats that might resemble something seen on a global scale.
Once again, however, this raises the question of control. It’s important that any threat intelligence comes directly to the organisation itself, rather than being given away to any third-party hosting its security infrastructure. Similarly, no organisation wants a third-party to have access to the data it’s using to train its AI.
There are clearly benefits to having access to wider threat intelligence, but using the cloud for security purposes is inherently complex. Ultimately, security infrastructure shouldn’t be mixed up with business. An organisation shouldn’t store the cloud services it’s monitoring on-premise, and vice versa; it shouldn’t store its on-premise security data in the cloud.
Striking a balance
There is a balance to be struck, one that boils down to classic risk management – business versus security. On a technical level, the cloud is less secure than on-premise. Criminals see it as a high-value target and will attack it more frequently. But its flexibility, scalability and cost-effectiveness are often what businesses need to maintain a competitive edge. On-premise infrastructure, on the other hand, is more expensive, but it does offer organisations greater control over their data, and offers the added peace-of-mind of physical security features.
The balance between on-premise and cloud infrastructure should therefore be tailored to an organisation’s needs at any given time. It should mirror an organisation’s risk appetite and its business imperative. Furthermore, better standards for encryption and engineering are needed on a universal scale that are underpinned by the latest legislation, as such, global and technical collaboration is needed by all.
In the end, it’s important to remember that cloud is actually no safer than on-premise. Given the value placed on data, it’s vital that organisations prioritise the accompanying security infrastructure, and ensure it too mirror business needs in the same way.