Fear of the cloud in today’s security landscape is largely misplaced. While it’s the simple things that are frequently the best option for security, factors such as growing network structures and a mobile workforce mean businesses are challenged with many systems that need to be secured against a growing range of security threats. Many IT professionals feel overwhelmed with the burden of coverall aspects of security and are expressing fear of the cloud. However, there are some really compelling reasons to be looking at the cloud for security.
A 2015 study conducted by Forrester Consulting suggests security experts overwhelmingly believe security should be delivered as a platform, and cloud-delivered security offers better protection at a lower cost than traditional on-premise security. Nearly all decision-makers recognise that integrated platforms can deliver better security functionality than point solutions.
Based on this finding, let’s look at some of the advantages of moving to the cloud:
- The majority of breaches that have occurred over the past two years have resulted from on-premise issues. Let’s take one of the largest data breaches of 2016 to date, the Panama Papers data leak. The firm allegedly ran its unencrypted emails through an outdated (2009) version of Microsoft’s Outlook Web Access. Outdated open source software (WordPress and Drupal) running the frontend of the firm’s websites is now suspected to have provided a vector for the compromise. The firm’s main site is also loading a number of outdated scripts and plugins, which were all on-premise boxes. Certainly the move to Office 365 (in the MSFT cloud) would have mitigated the outdated, unencrypted web access situation.
- Moving services to hosted cloud providers means a simple, easy upgrade. For those of us who spent our formative IT years doing system upgrades and hard drive capacity expansions, those calls were long and challenging. In the cloud, adding capacity, CPU cores, disk capacity and memory is usually just a right click and select option. Nothing is wasted; you don’t even have to throw out those 256MB proprietary SDIMMs when you replace them with 1GB ones. Backups also become as simple as ‘taking a snapshot’ as moving large data sets like backup cloud to cloud is a lot quicker than up and down. This is the foundation of solid security.
- Have tighter controls on administrative rights. In most cloud services, user access is application specific and security controls are far more granular. There is usually only one super-user, account holder or administrative account for hosted solutions. Adding users in hosted services usually has a financial control – i.e. it costs more money – so fiscally responsible organisations are quick to delete or re-assign licenses as requirements dictate. User permissions and administrator functions are again, usually deliberate decisions in the console of a hosted service.
- On-premise servers are expensive. When you combine the costs of the hardware, the operating system licensing and the application licensing with the physical server, you are looking at considerable upfront costs. If you need to scale, cluster or load balance your only option is to purchase another server. This is where ‘pay as you go’ pricing has a huge advantage; all your costs are incurred as you use the service.
Even though moving the WordPress and Drupal sites to the cloud may not have mitigated the risk of unpatched boxes, it would have likely prevented the compromise of the on-premise network. With hosted cloud services it’s possible to build on-premise networks with no external ports or services located on the Internet. When that architecture is adopted, facilitated by hosted services, outbound network activity to a limited number of IP address(es) is easy to monitor. So, in the instance of a data breach occurring within an on-premise box, cloud-based solutions would make it more difficult for hackers to access data.
The majority of cloud providers offer attractive subscription-based options with loads of add-in security, such as application firewalls, geo-IP filtering and VPN endpoint technology. For MSPs, removing physical servers from customers and putting them in the cloud can be done without affecting recurring revenue. The customer still has a ’server’ after all – it’s just in a data centre – and endpoints will never go away as they are the technology needed to access the cloud. Furthermore, when it comes to protecting the server from physical threats, such as weather and theft, you can’t beat an SOC 2-compliant data centre.
From the above it should be clear that moving servers and services to the cloud is a huge win for security and ease of administration. However, the last point in favour of cloud services is perhaps the most compelling: the vast majority of cloud providers offer security features that are costly to implement into on premise networks. IP address(es) for whitelisting access, two factor authentication for account access, granular user controls and advanced security analytics to detect account credential compromise are all possible.
So, far from shying away from the cloud, you should be embracing it and the efficiencies and extra security it can give you.
Ian Trump is Security Lead, LOGICnow