You hear it all the time: the cloud is more secure than on-premises systems. It’s stated as if it’s an irrefutable fact, but the reality is that the cloud still requires a great deal of security management and monitoring for it to truly be secure.
Still, according to a recent survey of 500 information technology execs (conducted by iSense Solutions for anti-malware vendor Bitdefender), 53 percent of respondents in the U.S. believe cloud is more secure than their on-premises systems. There’s no doubt security benefits are certainly one of the perceived benefits enterprises seek when moving to the cloud. And moving they are. Organizations are swiftly embracing cloud as they aim to capture as much value from their technology investments as they can as they find themselves under increased pressure to deliver more apps, functionality, storage, and business agility than ever before.
And while hybrid infrastructures, a mix of public cloud, private cloud, and on-premises infrastructure are widely in use today, many predict that data centers will eventually give way to public and private clouds in the near future. Oracle CEO Mark Hurd predicted earlier this year that 80 percent of corporate on-premises data centers will vanish in eight years. According to Gartner, the total worldwide public cloud market will have grown from $209 billion in 2016 to $383 billion by 2020.
And many experts expect that by the end of the 2020s there won’t be any more on-premises cloud deployments left.
According to the same survey cited above, 55 percent of companies are currently turning to the cloud. They cite increased productivity (54 percent), superior storage capacity (47 percent), and lower costs (46 percent) as their main reasons.
But let’s look at this bias that public cloud is more secure than on-premises systems. While a public cloud infrastructure may very well be more secure than what any specific enterprise can do in-house, even this depends on the skills, resources, and deployment use cases — the cloud infrastructure is only part of what needs to be managed in order to secure a cloud deployment.
While the infrastructure (virtual servers, networking functionality, storage, etc.) of the cloud services provider may be secured to a higher level than enterprises can do themselves: what about the ongoing configuration of these systems? The identity and access management to them? What about the security of the applications and how they are configured? Systems configurations can change quickly in cloud, so what about change control and logging and auditing capabilities? What about logical network and storage segmentation?
You get the idea. There are still plenty of things in cloud deployments that enterprises must focus on in order to keep their deployments secure.
And any systems or data in the cloud don’t get a magic pass from compliance and regulatory certifications. So rather than thinking about public cloud as being more secure, it’s better to think of the cloud as something that helps to limit the scope of information security that must be directly managed. That’s a much more realistic perspective than the assumption that public cloud is more secure than on-premises systems.