(image source)

Last week I engaged in a conversation about cloud security with friends of the IE Brown Executive MBA in our IT Strategy class. I have been asked my personal position about cloud services security.

Cloud security is a matter of risk perception first

Nowadays, to keep your precious assets such as your money, you trust your bank to keep it safe for you…it might be even nonphysical cash, but data stored in some databases within your bank Datacenter. And it’s fine for you. Excepted some paranoiac people afraid of a major economic collapse and possible bank run, no one would bury her/his savings in the backyard because it would feel more secure doing it that way. Anyway, not sure that the paper buried in your garden would still have any residual value after such a collapse (see hyper-inflation in post WW2 Germany).

Why then, considering your IT, and your data assets, would you consider that your data are safer when stored “on premise” in your backyard? Are your IT operations that excellent so you can claim a 99.999999% availability SLA? What about your Disaster Recovery Plan? Do you have one? When was the last time you tested it? Considering that quite often IT operations are partially outsourced to the cheapest tender on the market… this is questionable at least.

Then considering your data security…as a hostile hacking entity specialized in economic intelligence, it is far easier for me to target one specific industry and get some hackers hired either in IT Operations team (outsourced), or even better in janitorial services (sweeping the floor in the morning and swiping your hard disks in the evening) to compromise your IT systems, rather than trying to find your data in a multi-tenant public cloud with millions databases to screen.

Although it is deeply human to think that it is less risky when we are in control, it is just a matter of perception. It is the very same reason why some people who panic into planes feel safer driving their car although statistics might prove them wrong. Alike, it is not because you can see and even touch your servers in your datacenter which make you feel more in control, that your IT is actually more secured: this proceeds from a confirmation bias.

Most of these are “beliefs”, “prejudices” which are to be fought through facts and education.

Security is a matter of culture, organization and processes before being a matter of technology

It is mandatory to find the right balance between data security, and data accessibility for collaboration. At the era of “big data” and “machine Learning”, data locked into highly secured silos have no business value.

However, how many corporations do have (ideally programmatically) actionable business data classifications: low/medium/high business impact, rules for classification, data lifecycle management rules, processes to enforce them, and independent audit to asset their Governance/Risk/Compliance policies using industry-recognized security assessment Framework ?

These are the reasons why Cloud Services offered by major public cloud providers are likely to be more secured than most of “on premises” solutions

1. The bad and ugly truth is that often, the “journey to the cloud” is the first time some corporations think about the security of their IT in a holistic/360° way, so thank you “journey to the cloud”! There are lengthy discussions about “confidential data” but no internal Framework to properly define which data needs to be “confidential”. There are endless discussions about encryption in transport, at rest… while on premise servers don’t even enforce https due to the lack of a PKI (hence no data encryption at rest). Journey to the cloud often acts as a revelator of many weaknesses within on premise infrastructures: adopting the cloud will not improve this as the security level is still the security level of the weakest component in the value chain… but it will help you asking the right and mandatory questions.
2. Cloud operations are highly automated and logs are generated for every single action by design. Zeroing human actions means more stability, more reliability, more reproducibility and less bribery (human dynamics)… and automation leads to better economic efficiency and reduced OpEx.
3. Cloud operations/datacenters are certified. HIPAA, ISO 270XX to name a few (see here for ISO270xx). Microsoft datacenters have the almost all security related certifications (see here) , are the first to be ISO 27018 certified, and other major cloud services providers probably have an equivalent certification set.. This means that security is assessed regularly by independent organisms using frameworks that are recognized by the community of people concerned by the security in general and cloud security in particular. How many “on premise” infrastructures get audited that way?
4. Last and not the least argument. These are public infrastructures and this has two major consequences:

• Any security failure would have a disastrous effect on the business. Of course, cloud service providers are really concerned by customers’ security. Just like for airlines… They do not want datacenters to “crash” or “being hacked”… and like for airliners, any incidents (or accidents) have a great “magnitude” in terms of “crisis communication” (and scale as well).
• There is a great incentive for hackers to hack such infrastructures… lots of data within. Like for banks… it’s more interesting to attack the central deposit bank than to attack one small agency/subsidiary… like for Banks, it’s harder too… and such datacenters should be equipped like “Fort Knox” with a multi-layered security architecture. Of course, one should question the economic balance between the required investments for such sophisticated attacks and the potential huge benefit of cracking such Alibaba’s cave! But any business should also balance the risks associated with the adoption of cloud technologies in an objective and rationale way, with the business benefits of zeroing CapEx requirements improving your working capital(CFO), faster Go To Market (CEO), innovative business relevant solutions (CMO).