According to new research from Nominet, more CISOs think that the risk of a security breach is either the same, or lower, when data is stored in the cloud when compared to on-premise environments.
The "Cyber Security and the Cloud" report appears to be something of a tipping point moment as far as cloud security, or rather how cloud security is perceived, is concerned. However, digging into the data reveals that it's not yet actually quite that black and white moment which many have been waiting for.
So, for example, 71 percent of those questioned were concerned about malicious activity in cloud environments, and 56 percent flagged GDPR fines as being their biggest cloud concern. As to the level of that concern, UK-based CISOs were less concerned (13 percent responded "extremely concerned") than their US counterparts (21 percent.) Similarly, there were differences when it came to the concern levels of different industries: those working in heavily regulated sectors being far more concerned by the security risk of cloud environments than others. Healthcare (55 percent), financial services (47 percent) and pharma (46 percent) led the way.
Most unsurprisingly of all though, organisations that had already been breached were more than twice as likely to consider the cloud higher risk than on-premise solutions.
"Security has traditionally always been cited as a barrier to cloud adoption, so it is significant that the perceived risk gap between cloud and on-premise has disappeared," Stuart Reed, VP of cyber security at Nominet said, "it's evident that security concerns are no longer an insurmountable barrier to cloud deployments given the high adoption rate of cloud services."
Never one to shy away from a good cyber-debate, SC Media UK thought we'd put the cloud vs on-premise risk question to a broad selection of infosec industry professionals. We asked whether they agreed that the cloud is now just as safe, or safer, than on-premise as far as the data security risk is concerned?
Here's what they had to say.
Nilanjan Samajdar, principal systems engineer for Altran, kicked things off by likening the cloud vs on-premise question to Brexit, something that is rather divisive. "On one end of the spectrum enterprises would just love to move to the cloud to save costs," Samajdar says, "on the other, regulatory compliancies and the risk of a data-breach worry many IT teams, especially after regulations like GDPR were introduced." According to Samajdar regulation is the biggest hurdle, suggesting that "the hybrid cloud model offers a happy medium for IT security teams, changing the industry perception of security as it offers the capability of storing sensitive data on-premise while doing the heavy-lifting on the cloud."
Ed Williams, director EMEA of SpiderLabs at Trustwave, is concerned that when enterprises opt to run a hybrid model, the security boundaries between the two blur. "It is critical that these boundaries are given appropriate scrutiny to make certain they’re configured both correctly and seamlessly," Williams says.
Also on the subject of boundary balance, Bindu Sundaresan, director at AT&T Cybersecurity, thinks the cloud can be just as safe, if not safer, than on-premise as long as the enterprise realises "that security becomes a shared responsibility between the organisation and the cloud provider." While it may be tempting to rely solely on the provider, she insists, "it is critical that the organisation’s IT security team still has visibility and control over data stored in the cloud, because ultimately it will be their responsibility to secure."
Sergio Loureiro, director of cloud solutions at Outpost24, is quite clear in his opinion: "Since 2010 I keep saying that the cloud can be more secure than on-prem. From the infrastructure perspective, big players such as AWS, Azure and GCP have great security talent and processes and enterprises benefit from it."
Simon Eappariello, SVP of product & engineering (EMEIA) at iboss also says that "in most cases the cloud is a safer place for data than on-premise because the risk associated with data loss in a well-designed and well-monitored cloud environment is undoubtably lowered." He cites the internal malicious employee risk to on-premise data, something he insists the cloud can mitigate against, "as most cloud services and environments provide stringent standards such as SOC2 that tightly control access to the physical compute environments at a higher level than organisations can implement for on-premise."
Boris Cipot, senior security engineer at Synopsys, is less enthusiastic and points out that "complexity has never been a friend to security. The more complex a system, the harder it is to define and maintain security policies for it and its usage, or even to monitor the usage and identify breaches." This applies in particular to multi-cloud environs where "your used functionality is spread out on several different platforms," Cipot says, "to which you connect from your network and which you also need to connect with each other."
More on the fence, or rather on the side of the cloud but with caveats, is Matt Aldridge, senior solutions architect at Webroot. "The cyber-risks associated with cloud infrastructure generally reflect the same risks that have been facing businesses online for many years now," Aldridge told SC Media, "a key difference however is that the impact of cloud services being compromised, can on the surface appear to cause smaller impact to the victim than a more traditional on-premise compromise." This leads to some administrators and operations teams potentially trying to cut corners when it comes to the security of their cloud infrastructure. "All cloud services are not created equal," Aldridge concludes, "so must be carefully vetted for compliance with corporate security standards and with any other standards to which your organisation must comply."
We'll leave the last word with Sam Curry, chief security officer at Cybereason. "Are you safer in the cloud or managing your own stack?" he asks, for many he replies to his own question, "the answer is a loud yes. Most of the time. For a while." Curry warns sagely that given the state of security today, honestly, it’s complicated. "Which is a very unsatisfying answer" he concludes, "but has the virtue of being true."