Clouds are less secure.
This is the long-held wisdom of cloud computing, the notion that goes bump in the night and keeps many companies from moving any or all of their data off local stacks. It comes with a host of anecdotal "evidence" to prove the point: Surely, cloud services must be less secure because they're "outside," beyond the benefit of in-house protection and testing. But what if the oft-repeated notion is wrong? What if cloud computing — and cloud-based application security — is actually more secure than staying on-site?
According to an article from American Banker, cloud infrastructure may trump local networks when it comes to keeping banking data safe. The article notes that while the on-site infrastructures of 43 financial organizations were breached in 2014, no major cloud providers were hit. As Dan Latimore, the senior vice president of banking firm Celent, says, "Dedicated service providers may have a better chance, due to their single-mindedness of purpose and their budgets, of providing more robust security than can a bank on its own." Tech Target has data to back up this assertion, stating that on average, on-premises environments experience an average of 61.4 attacks, while cloud providers see only 27.8.
There are some obvious caveats: Banks are naturally higher-profile targets than even large cloud providers, given the amount of personal and financial data stored on company servers, which could explain the lower number of overall attacks and the lack of any serious breaches. But there's more to the story.
As noted by a recent ZDNet article, companies choosing to keep their data on-site often fall victim to a kind of perceptive dissonance when it comes to security: They believe what they've been told, that IT security is an "arms race." In fact, according to a Leviathan Security white paper, "Modern methodologies allow attackers continuously to probe the trust boundaries of any organization, which means that rather than waiting for an overwhelming advantage, an adversary will exploit any temporary lapse." This lapse could be anything from routine maintenance activities, to patching and even minor changes to network infrastructure. In other words, this isn't an arms race — it's an opportunistic attack. Cloud providers can have an advantage when dealing with this new threat landscape, because their services can be designed for continual change and with the underlying assumption that attackers are always skulking near the gates and searching for weaknesses.
Securing application infrastructures at large poses the same problem. But cloud-based application security providers have an advantage when dealing with constantly changing applications, because their single-mindedness of purpose and research can provide more robust security assessments than a typical enterprise can on its own. By using cloud-based assessments to evaluate applications at each stage of development for potential risk, it's possible to determine: What risk does an app pose in its current form? Does it use third-party code with known vulnerabilities? Does it depend on data sources beyond the company firewall? Do new frameworks or functionality make an existing vulnerability exploitable? Uncovering and mitigating these serious issues before they're exploited by attackers can dramatically lower business risks.
Is opting for the cloud more secure than keeping data in-house? In certain cases, yes. Organizations with high-value data and long-reach apps such as banks may now benefit from the single-mindedness of cloud computing along with its variable attack surface; while staying local offers more direct control of apps and services, it also creates a larger, stationary target. Bottom line? Staying still could break the bank.
Photo Source: Wikimedia Commons