A new research report from cloud security provider CloudLock argues that more than a quarter of cloud workloads used in corporate environments are “high risk.” Of course, CloudLock is biased; it makes a living spreading FUD about security, tapping into old-school IT fears about cloud computing. Its conclusions are largely foregone.
Although this is yet another self-serving report from a vendor, it’s a good opportunity for me to make sense of this information for everyone else.
First, the alternative to using the cloud is to leave the applications pretty much unprotected on premises.
On-premises systems — not cloud-based workloads — have been the favorite target of hackers in the last several years. Why? Because collectively, organizations have been doing a pretty good job of securing applications as they migrate to the cloud, incorporating the newest technologies and placing a sound layer of security around them.
It’s true that organizations moving applications to the cloud without a thought on how to improve security will find that their risk of hacking is about the same in the cloud as within the local data center. That’s not a risk from the cloud but from poor IT.
Second, this report operates on the premise that the cloud is inherently riskier and claims you need special technology to remove that risk. (Gee, I wonder where you can buy that technology?)
You likely need better approaches to security and security technology than you have today. Migrating to the cloud provides an opportunity to do so and brings in more security resources from the cloud provider than most organizations can muster themselves.
Again, the security risks of the cloud platforms themselves are low, which is why hackers focus on your on-premises deployments instead. What does that tell you?
There is a lot of misinformation, including self-serving FUD from security and on-premises providers to drive sales, as well as overoptimism from cloud providers that downplays the real risks (also to drive sales).
Either approach can be harmful, but on balance the bulk of the misinformation comes from the security and on-premises providers. IT organizations should be careful not to let their own fears and prejudices be abused by such tactics. Yes, verify cloud providers’ claims — doubly do so with claims from those who try to steer you away from the cloud.