Is cloud computing really safe?

In this sponsored opinion piece, Webroot's senior manager of threat research David Kennerley, examines the safety issues around moving to the cloud

Recently, I was asked for my views on cloud computing and the security concerns around it. Are these concerns well-founded, and should they prevent companies from moving to cloud-based technologies?

First, it's important to note that many businesses, large and small, have moved to the cloud in recent years, and have enjoyed great success and excellent ROI. As with any technology, there are many valid reasons both for and against its use, and security will always be the main deterrent to cloud computing adoption. There are a lot of security myths about cloud computing.

The biggest misconception is that, upon adopting cloud usage, your data will no longer be as safe as it would be with an on-premise approach, locked away behind the corporate firewall. But this is backward thinking; the corporate firewall can no longer be seen as some all-powerful gatekeeper.

Other myths I've encountered:

• "My business doesn't even use the cloud." We live in a world where so-called Shadow IT is now the norm. Files are being shared, new collaboration and messaging tools are being used. Whether they realize it or not, everyone is using the cloud in some way. That's why it's so important that IT get involved.

• "The cloud isn't secure. You are more likely to be breached." There is no evidence to support this and the large proportion of the major security breaches of 2015 occurred because data on on-premises servers was stolen. Physical control of data doesn't not make it inherently more secure. If you apply the same level of due diligence to securing the cloud as you would internal resources, then the same level of protection should be expected. Don't forget: the CIA use AWS.

• "Cloud tenants can spy on each other." Although tenants within a public cloud share the same processing, storage, and other computing resources and services, they are separated by very robust virtualisation technologies. While many areas of cloud computing may lack maturity, the strong virtualisation, isolation, and partitioning technologies available are not among them. If you experience a breach, the likelihood that it was due to vulnerabilities in the underlying technology is shrinking by the day.

• "The cloud security debate is simple." This is the biggest myth regarding cloud security, and it is difficult to address. To determine how secure a cloud solution is as compared to a non-cloud deployment solution, we need to take in to account so many variables. These variables depend on the size of the organisation, the nature of the business, expertise of in-house staff, risk tolerance, budget/turnover—and that's only the beginning.

As public cloud services continue evolve and mature, we will continue to see fewer security incidents related to the underlying technology. A Gartner Top 10 prediction for 2016 suggests 95 per cent of cloud security failures through 2020 will be due to customer actions. This highlights what many security experts are already saying: it's not the technology at fault. It's the implementation, the maintenance, the reporting, and the incident response that need to improve.

IT departments need to take a lead role in how cloud computing is utilised, managed and, most importantly, secured. With dwindling support for the more traditional in-house services, it's essential that new cloud offerings receive at least the same as the previous amount of support and management. Previous IT service management processes still need to be applied.

Instead of fearing the worst, CIOs need to be the leaders of this computing evolution—enhancing their businesses through well-balanced and highly considered decision-making. The needs of every potential cloud customer are different; as is the level of technical expertise required of the IT and security staff charged with keeping company data secure.

That's why potential decisions need to be well-researched. The technology is only part of any solution; additionally, you have to consider planning, implementation, and the controls and monitoring to leverage the solution to its full potential and benefit the business accordingly.

Both cloud service providers (CSPs) and enterprises are entering into a mutual agreement. The enterprise must be aware of what the CSP is providing, as well as where the line is between the responsibilities of the CSP and those of the customer. This needs to be clearly documented and accepted.

Enterprises also need to take the time to understand how and where their data is stored; although in the cloud, it is still physically stored somewhere. The maturity of the CSP and, in some cases, even the CSP headquarters location are important as well. Businesses must ask what access controls and validation are in place; what happens if there is a breach; what is the disaster recovery plan; etc.

Ultimately, the most important thing to remember is that it's your data and you are responsible for securing it. When adopting cloud technology, you need to understand the breadth of services available, the full needs of your business, and, perhaps most importantly, exactly what you're protecting your data from.

Malware and data theft techniques change daily, even hourly. To protect your data, you need to select next-generation solutions that can adapt to suit increasingly diverse endpoints across an increasingly diverse internet landscape—and you need to understand the malware trends that could affect your business.

Get More Info Want to find out if Webroot has what it takes to protect your customers? See for yourself with a no-risk FREE trial.

You don't even have to uninstall existing security. Are you an MSP? If so, our Endpoint Protection with Global Site Manager (designed with MSPs in mind) is the trial for you! Click here.