Several of Anue’s fastest-growing customers are cloud providers. As the transition from traditional in-house computing to cloud computing is occurring, one common objection raised is information security. The really interesting thing about the objection is that experience is proving to be the opposite.
In fact, Symantec’s 2011 State of Cloud Survey Organizations found that customers are conflicted about security—rating it as a top goal as well as a top concern, with respect to moving to the cloud. Eighty-seven percent of respondents are confident that moving to the cloud will not impact and may even improve their security status. At the same time, cloud was identified as a top concern for potential risks, including malware, hacker-based theft and loss of confidential data.
The Cloud Security Alliance 2010 publication, Top Threats to Cloud Computing v1.0 identifies the following potential threats:
- Abuse and Nefarious Use of Cloud Computing
- Insecure Application Programming Interfaces
- Malicious Insiders
- Shared Technology Vulnerabilities
- Data Loss/Leakage
- Account, Service & Traffic Hijacking
My theory is this. While cloud computing DOES introduce some additional business considerations, on the balance it greatly improves IT security for organizations, especially non-technical SMBs.
Cloud providers take security incredibly seriously. If you don’t believe me, try to get a tour of a cloud provider data center. You will be lucky if they even tell you the city the data center is in. If you do get a tour, it might require vetting, including a check of your criminal record and background.
Managed cloud providers also hire some serious security talent. Unlike an SMB, where the IT guy may have the luxury to think about security between urgent, business-driven tasks, cloud providers typically have teams of full-time security professionals. Many of these folks come from organizations with three letter acronyms that are extremely security-conscious, and they aren’t shy about investing money in security. Their day job is to proactively monitor network behavior, and they have many tools (such as Anue’s NTO) at their fingertips to do so.
When a cloud server is attacked, cloud providers have the necessary technology to isolate and contain the situation, proactively protecting their customers. Any network behavior that deviates from normal patterns is identified and sets off alarms, often provoking automated responses and setting off further investigation by the security team.
Cloud providers have diligence in maintaining secure infrastructure, whereas an SMB is unlikely to be able to keep on top of maintenance. Most incidents involve known vulnerabilities that the IT group just hasn’t had a chance to patch. As Casper Manes says in his (excellent) post on patch management on The Hacker News, “I’ve spent most of the past decade in information security, with a pretty big focus on incident response. It never ceases to amaze me how many security incidents (pronounced hacks) customers suffer as a result of unpatched systems.” The SMB is in a particularly bad position here, with limited resources and too much work for network administrators in the first place. Cloud providers, on the other hand, have skilled personnel, automation and the tools they need to do a great job on patch management.
It’s like cutting your own hair – a job usually best left to professionals.