By David Linthicum
The recent discourse around the security of cloud computing in the banking sector, highlighted by Nicholas Fearn’s piece in the Financial Times, paints a somewhat grim picture of the cybersecurity landscape when it comes to banks moving to cloud computing. Not to pick on just this article, but I’ve seen this as a trend in the past few years, as the value of cloud computing has been called into question more and more. This is a change from just a few years ago when it was verboten to criticize “the cloud.”
What happened between then and now? Enterprises saw the weaknesses of cloud computing platforms, such as costing too much and being difficult to leave. This made it okay to point out the issues with public cloud providers, and I’ve certainly done my share, even when it was not trendy to do so.
Migration to the cloud is often portrayed as a double-edged sword. It offers significant benefits in terms of scalability, efficiency, and cost-savings while simultaneously exposing financial institutions to new vulnerabilities and cyberthreats. However, this narrative may oversimplify the complexities of cloud security and overlook the broader context of cybersecurity.
Misconceptions about cloud security
The notion that cloud computing inherently decreases security is a generalization that fails to consider the advancements in security protocols and practices within the cloud industry. The fact is vendors are spending much more on developing and deploying security systems for the cloud than they are for traditional on-premises systems. This increased spending is coming from the public cloud providers themselves as well as from builders of third-party security tools. Therefore, cloud security technology is normally much better than the on-premises options.
Cloud service providers are acutely aware of their responsibility to maintain robust security. These companies invest heavily in security research, development of secure technologies, and compliance certifications that often exceed those in many other business sectors. In fact, the centralized nature of cloud services allows for quicker updates and more uniform implementation of security patches, a significant advantage over traditional decentralized IT systems.
So, why are these articles being written? If you look at the architecture of public cloud providers, your data is sitting on clusters of physical servers, but you have no idea where those physical servers actually are. This uncertainty breeds a fear that security is going to be a problem since you can’t touch your servers. This is more of a mental perception than a true security problem.
Technical skills are another basic root cause. The article points out that misconfigurations are the most common security threats to cloud-based systems. That, of course, is a human issue: People, not public cloud providers, are the ones who misconfigure security settings, and this allows breaches. Although you can’t really blame the cloud providers for that one, the industry does. Of course, the same threats exist with on-premises systems, perhaps more so than in the cloud. It’s just overlooked because scary security stories about cloud providers just seem more…well, scary.
Misplaced blame?
The article suggests that cybercriminals who exploit cloud vulnerabilities and misconfigurations are leading to increased risks. However, these issues can indicate broader challenges in the cybersecurity practices of the enterprises themselves rather than inherent flaws with cloud computing.
It’s also important to differentiate between the security capabilities of various cloud service providers. Not all clouds are created equal. The major providers, such as AWS, Google Cloud, and Microsoft Azure, offer highly sophisticated security features that can be tailored to the needs of enterprises. Smaller providers may not offer the same level of security, which could skew the perception of risk when discussing cloud security in general terms. By the way, this does not mean that small providers don’t have effective security, only that there is not as much investment made in their security systems.
Another aspect overlooked in the debate is the role of hybrid models where enterprises have both on-premises and cloud-based infrastructures. This approach allows enterprises to store their most sensitive data on private, on-premises servers while still enjoying the flexibility and scalability of the cloud for less sensitive operations.
Lastly, the article touches on potential future threats from quantum computing, which could theoretically break current encryption methods. This is a future consideration that would affect all aspects of digital security, not just cloud-based systems. Trust me, cloud providers are already working on quantum-proof encryption methods to secure data against emerging threats.
Although the security risks associated with cloud computing are important, it is crucial to keep a balanced perspective. I’ve never been an apologist for cloud computing platforms—or any other platform for that matter. When it comes to security, we need to understand exactly what the issues are and how they can be mitigated. Lately, public cloud providers have been getting a bad rap, perhaps for no valid reason. We can’t let that fog our evaluation of platforms to host our applications and data.
