In my role as CEO of Cloud Security Alliance, I often get put on the spot by audiences and members of the media with a fairly reasonable question: Which is better for data security—the cloud or traditional IT? Well of course, my original answer to this question is always “it depends.” It depends upon which cloud provider you are talking about. Is it a company like our corporate member Code42, which has invested greatly in data security and keeps current on all of the latest threats and trends? Or is it a fly-by-night cloud provider that has no track record, no chief information security officer and no documented data security program? It also depends upon the security practices you have implemented for your own IT systems, e.g., do you have intrusion detection, data loss protection and a host of other security solutions in house?
I soon learned that “It depends,” while possibly still the most technically accurate answer, is not the most satisfactory answer to an audience. As CSA enters its seventh year, I have become more comfortable in saying that more often than not, your information is safer in the cloud than residing anywhere else. I will still use the weasel words “It depends” as a qualifier, but I feel cloud tends to be the safer choice.
Attacks target customer IT—not cloud infrastructure
If you analyze the major data breaches that have made the headlines, they are attacks upon an organization’s own IT systems, not their cloud providers. I have always found hackers to be lazy people, and they will look for the path of least resistance when looking for a way to compromise a target. Companies that are not in the business of providing IT as a service simply do not approach security in the same way that a quality cloud company does. Cloud companies tend to build fairly homogeneous, standardized systems, which are easier to secure than enterprises that seem to have one of every different computer system. Cloud companies are more likely to invest in state of the art security tools rather than just the minimum required to pass an audit. At the end of the day, a cloud company that loses consumer trust in its computer security is in serious jeopardy of going out of business, while other types of companies simply do not have the same sense of urgency.
Having spent 25 years in the information security business and looking at the state of the industry in 2015, I sincerely feel that legacy IT is the Achilles heel of information security, and this will become more apparent in the breaches ahead of us. Whether it is old operating systems no longer under support, hardware that is difficult to replace or software packages with fewer developers having the skills to provide maintenance, it is legacy IT that is the ticking time bomb.
My argument above does not mean that any organization should blindly migrate to the cloud and expect a security windfall. You must discriminate between the good cloud providers and the bad. Fortunately, the Cloud Security Alliance provides a number of free tools to help you understand cloud security issues and measure your cloud providers. I also don’t think that any of us can take a breather. As cloud continues its path to becoming the default IT system, hackers will certainly up their game and find new attack vectors in cloud. Will we meet the challenge? It depends.
Download The Guide to Modern Endpoint Backup and Data Visibility to learn more about selecting a modern endpoint backup solution in a dangerous world.