Conventional IT wisdom says that you’re safer and more secure when you control your own on-premises datacenter. Yet if you think about every major data breach over the last two years, whether Anthem, Sony, JPMorgan or Target, all involved on-premises datacenters, not the cloud.
In fact, if a cloud service has proper controls, it could be safer than running your own datacenter. Amazon, Google, Salesforce and Box to a company have much more at stake when it comes to security. A breach could prove devastating to their businesses.
That could be why it’s hard to come up with a major security snafu involving a cloud provider. Other than the Jennifer Lawrence photo breach and the subsequent celebrity leaks, it’s hard to think of anything on the magnitude of those high-profile on-prem hacks involving the cloud.
It could simply come down to a feeling of control. When you run your datacenter on-premises, you feel like you’re safer, but are you?
Who’s More Secure?
First of all, aside from a few exceptions, most companies simply don’t put the resources into security that a cloud company does.
Their business is not about security, at least not directly, and it’s usually not the first priority for a CEO looking at the bottom line. While a high profile hack is embarrassing and creates a lot of economic fall-out, the primary purpose of the business is about servicing customers.
David Cowan, who has been funding security companies since the 1990s for Bessemer Venture Partners says most companies don’t think about security, and Sony was no exception.
“Sony has a technology business, but they are not Google or Amazon. They make movies and they hire people who are great at making movies. That’s what they think about. They don’t think about data, trust and security.”
Cowan says that doesn’t necessarily mean we’re safer in the cloud, but believes that mature cloud providers like Google and Amazon are likely safer than the typical data center. He says the problem is there are varying levels of maturity across the vast array of cloud services out there.
“We don’t keep all our data in Google or Amazon. We keep it sprinkled on dozens or hundreds of sites,” he pointed out — and the problem is not all come with an equal level of security.
Who Controls Your Data
One of this issues around cloud computing is who exactly controls the data. If law enforcement comes knocking at the door, would the cloud company be forced to hand over your content, even if you didn’t want it to? The rules aren’t crystal clear, but some cloud vendors are forcing the issue.
Earlier this year, Box released a product called Enterprise Key Management that puts your company firmly in control of your content. Box couldn’t give the content to law enforcement no matter what because it’s encrypted and only the owner has the encryption keys, forcing the law enforcement official back to you to get at it.
But much like Cowan’s assessment of cloud security, not every cloud vendor has this capability and without it, the situation becomes much murkier. Cloud vendors like Google are constantly dealing with requests for user information and as a company it has to decide how to deal with them.
The Electronic Frontier Foundation publishes an annual report regarding which online vendors “have your back” when it comes to law enforcement requests for information. Most, but not all, require a warrant to look at your data now. This wasn’t always the case if you look at past reports, even as recently as 2013.
EFF also has an annual report on how much encryption major cloud services are providing so you can see how well-protected your data is in transit and at rest.
Spreading The Data Around
If you think about what happened in the Sony breach, hackers got into the system, and because it was a single system, once they had penetrated the defenses, they got at everything from emails to unreleased movies to partnership plans –and it wasn’t pretty. But if the data had been spread across various cloud services, even breaching one service would only have meant getting at the data stored within the breached service.
I spoke to one company, CloudAlloy, last year in Startup Alley at TechCrunch Disrupt San Francisco, who took this idea of spreading your risk a step further. CloudAlloy wants to spread pieces of your files across different servers. The various pieces would then come together when you called the file. The company claimed this happened with zero latency and with your spread out in this fashion, if a hacker got into one server, it would have a meaningless piece.
Spreading your data across various repositories means getting into one, wouldn’t compromise your entire data store. It’s an approach that makes a lot of sense.
No approach is going to be foolproof, especially with people involved. Things can and will go wrong. Phishing expeditions or brute force attacks can allow hackers to force their way into individual accounts, as the Jennifer Lawrence situation proved.
Yet we’ve seen that private datacenters are vulnerable too, and having your data onsite is no guarantee it’s going to be safe, quite the opposite. The cloud may offer the best hope we have at this point, which is fairly ironic given that security has often been the chief criticism of cloud computing from the start. Yet in the end, the cloud may be your most secure bet.