I’ve lost count of the number of times I have heard someone say “The Cloud isn’t very secure”, so I am going to try to provide some insight into just how secure the cloud really is.
How secure is… what, exactly?
If we were to base our decision on the vast amount of security breaches we read about every day, I’d say the forecast isn’t good. But there’s more here than meets the eye, as the word “Cloud” has become one of the most misunderstood and confusing terms used in everyday life. It has become so all-encompassing that I think people are starting to lose track of what it is –in fact our own Joe A. J. Beaumont recently wrote a blog article about this very subject. It’s often spoken about as a magical MacGuffin that somehow fixes everything. In recent months I’ve heard the following quotes from my (non-geek) friends: “yeah, we don’t bother with backups anymore – the Cloud just takes care of that for me” and “I don’t need anti-virus, I store my files in the cloud.” These are deeply worrying things to hear from a technological and security standpoint.
So what is this magical new saviour of mankind, the almighty “Cloud”?
The problem is we’re using a single term to define a stunning variety of services delivered by a huge number of different service providers. For this reason, each service provider will have a different track record when it comes to maintaining security. It’s becoming increasingly difficult to distinguish cloud service types, what levels of security are being put into them and what customer bases might be accessing them. To make people think less about Cloud and more about the service provider and what they offer, let’s start with an analogy.
My car is better than your car
In my mind, cloud services can be likened to a car. There are many different types of cars available: small nippy cars, big family cars, stripped-down off-road monsters and ultra-plush executive saloons. Add to this different types and sizes of engine: diesel, petrol, electric, hybrid. Now think of the number of manufacturers from different countries, with different price ranges and target markets. Then, each manufacturer will have varying degrees of performance, efficiency, safety and reliability. Lastly, car manufacturers each have their own set of options and extras.
A cloud service provider is very similar to the car situation: just like Ford and General Motors, you have big US-owned public cloud providers, like Google, Microsoft and Amazon. Then there are medium-sized cloud providers who can be likened to established manufacturers like Renault, Volvo, and Mitsubishi. Lastly there are a large number of smaller, niche cloud providers who have their own specialist markets focussing on things such as security, performance or premium functionality. In our car example these could be likened to a Hummer, Caterham and Aston Martin respectively.
So like the car manufacturers, each cloud service provider will have their own variation of cloud, be it SaaS, PaaS, IaaS or one of the many other types of clouds emerging such as WaaS, MaaS and DRaaS (but I’ll stop before I start Joe off on another rant). And very much like a car, just because one manufacturer has a particularly poor safety record doesn’t mean another manufacturer can’t have a top-rated one, with five stars from NCAP. I view the cloud very much like this: there are some brilliant cloud service providers who have an excellent record when it comes to security and reliability, then there are others who probably don’t invest the time, money and effort required to ensure a secure and reliable platform.
It takes two to tango. Or even three or four.
The problem we face is that each and every cloud security breach we read about makes people view cloud and security in a negative way. Take the recent iCloud security breach: the publicity this received was prolific – it was on the front of almost every major newspaper. However, as it turned out, the iCloud’s security was not breached at all: it was poor passwords used by the celebrities that were the weak link. Good security is not just about systems; it’s also very much about ensuring good security procedures and practices are followed by everyone in the organisation. It’s a two-way street: cloud users must also do their part. And a cloud company who takes security seriously will make their customers, and even their customers’ customers, aware of their obligations to ensure maximum security.
I’ll leave you with one last thought. I remember being in a meeting with a potential customer a couple of years back and I had one of our Senior Engineers with me. The customer said straight away: “We need an absolute, cast-iron, 100% guarantee that our website will never, ever be breached.” To which my colleague turned round and said “Well, you’d better not connect it to the internet then.” This may have seemed a flippant remark but it is probably pretty close to the truth. Whilst there will always be an inherent risk when using online services, the risk can be managed, mitigated and made small: extremely good security is achievable and even affordable. Feeling safe in the cloud is not just about the service provider you choose, though naturally they play a vital role in maintaining your integrity; it’s also something which must be inherent within your own organisation and your third and fourth parties (such as software developers, payment gateways, etc). Any cloud provider who categorically claims to 100% bulletproof is, quite simply, lying to you. Or worse, ignorant of the facts about the world we live in.