The original version of this post was published on SecurityWeek.
Less than ten minutes driving west from my home, you encounter a vast expanse of large, windowless buildings. Situated near them are impressive physical plants dedicated to cooling these buildings and providing back-up power in the case of a power failure. Whenever I drive past these complexes I always point them out to my passengers and say: “You have heard about the cloud–well, there it is.”
Businesses are moving mission-critical applications to the cloud at a rapid pace. The cost savings and other benefits simply are too persuasive not to move to the cloud. So why do organizations hesitate? Analyst studies cite security concerns as the number one inhibitor of moving sensitive applications to the cloud.
Let me examine these concerns by breaking down the conversation into two pieces: the cloud infrastructure and the applications running in the cloud.
I was once concerned that moving to the cloud was fraught with unknown perils. Then I walked into a cloud security panel of really smart, progressive security types at the RSA Conference in 2014 called “Is the Cloud Really More Secure Than On-Premise?” No less a luminary than Bruce Schneier told the audience to essentially wise up and realize that established cloud providers had more security resources and expertise than any enterprise, and that they provide security that is comparable to or exceeds that of any enterprise.
In other words, the cloud is more likely to be secure than your own environment. Therefore, you can add security to the list of benefits that make the cloud so enticing, and remove it from your list of concerns. Privacy experts will continue to call attention to questions about data leakage and other potential maladies, but the cloud environment appears to be a secure choice. Certainly there has been no flood of breach stories coming from the early adopters.
What we had to worry about was ourselves. Research actually shows that it is not the cloud that is the security risk. Over 90 percent of security issues originate with the enterprise, and not the cloud. We remain our own worst enemy, it seems, even as technology moves forward.
It is important to note that experts like Schneier are speaking from an infrastructure perspective, focusing on the broader network and data security. We still need to consider my second point regarding the security of the actual applications running in the cloud.
For that I will start with a simple truth: Moving an application full of security vulnerabilities to the cloud does not make it more secure.
The most basic cloud implementations follow the infrastructure-as-a-service (IaaS) model, where the cloud provider manages the physical devices, the network, the storage and the hypervisors. We have established that these providers – with proper vetting, of course – provide this in a secure manner. The IaaS model is often the entry point for organizations moving to the cloud, as they are able to “lift and shift” applications from their environment to the cloud in order to start reaping the benefits.
Picking up an application with security problems from your infrastructure and placing it into the cloud does not suddenly remediate the security vulnerabilities or mitigate the risk. It is like the Neil Gaiman quote “Wherever you go, you take yourself with you.” Wherever you run an application, its vulnerabilities will follow. If an organization does not follow the basic principles of software security, the risks remain.