The Cloud has become ambiguous to SaaS (Software as a Service) and off site data backup. But many companies still feel more secure housing their data on premises, on their own servers.

We have all heard of network breaches that have hit companies like Apple, Target, Home Depot and JP Morgan Chase. With the heightened media exposure it is undoubtedly creating additional scrutiny and concern when it comes to security, and data protection. And although data protection and security are extremely important, the vast majority of attacks like these have almost nothing to do with Cloud services.

To really dig down to the root of the issues it is appropriate to tackle a few common myths associated with Cloud based security:

MYTH 1: External internet threats are more threatening in the Cloud.

Although external internet threats are real, they are no more threatening to the cloud than any other service delivery.  The “Cloud” in essence is a series of computers linked together to offer redundancy and scalability.  The same vulnerabilities that exist in an on premise network, exist in a Cloud environment.  They should be addressed with proper policies and procedures, as well as thorough engineering examinations and vulnerability scanning.  The fact is, if your business is connected to the Internet, you need to worry about security.  The same as a Cloud provider.

MYTH 2: You can’t control where your data resides in the cloud.

Data residency is a concern for many industries including health care, financial services, governmental agencies, etc.  The majority of the concern here is when companies do not know where there data is, they believe the risk of loss or theft increases.  Although this again is not necessarily true, especially when factoring in the human component, we’ll leave that for another post.  This myth is about the belief that “in the Cloud” means no control over the location of your data.  The truth is that there are different types of Clouds.  A private Cloud for example, is basically a scaled down version of a public Cloud, built and managed by, or for, a specific company. With a private Cloud a business can customize and control where data is located and how it is accessed.  A private Cloud can be deployed either within and organization (on premises) or within a hardened data center. Either way customers of private Clouds dictate much more of the system than possible with a public Cloud.

MYTH 3: Internal networks are more secure than the Cloud.

Again, from the outside this statement may seem to be accurate as all physical devices are controlled by the company, and internal IT can govern the policies to access data. Unfortunately in most cases this is just not accurate.   In most small and medium sized business the cost to employ the amount of security resources necessary to properly protect the business is nearly impossible.  With rapid advancements of technology, and the constant shifting of attackers, internal IT teams would need to allocate vast resources and time to adequately keep up.  Cloud service providers on the other hand typically spend much more time, money and resources on security systems and security policies than most small business are able to. As CTO of Nimbix Leo Reiter (@virtualleo) states, “Cloud providers live, eat, and breathe network security while most other organizations don’t usually list it as one of their core competencies.”

Ultimately breaches in security are more a result of poor password policies, poor release management for software patches, improper management of user roles and permissions, lacking security training for staff, and other data management policies.

  • When the correct security policies for preventing attacks and detecting them are implemented, attacks are no more threatening to the cloud than any other piece of infrastructure.
  • The physical location of the data matters less than the access and associated controls put in place.
  • Firewall configurations, penetration testing, VPNs, etc. are all just as important when working with a cloud provider as they are when working on premise.
  • Security should extend down to each individual enterprise application and employee.
  • Training staff to avoid common attacks (like this and this) is a must for all businesses.

Overall, Cloud based services are not necessarily more or less secure than anything else. If security is a concern, and it should be, it needs to be addressed adequately regardless if you stick with a traditional IT approach, or if you focus on newer technologies like the Cloud.

** For other common Cloud myths – check out this post