Allaying the AWS security concerns: How the cloud became more secure than on-premise
By Cameron McKenzie
As recent as even five years ago, security was one of the top concerns holding enterprises back from creating a meaningful presence in the cloud. But today, businesses are grappling with the full scope of their vulnerability, and reconsidering their position as a result. After all, in a world of increasingly interconnected technology, simply having physical control over infrastructure that is on-premise or in a collocated data center is no guarantee of safety. Potential avenues for intrusion are increasing, and an ever-expanding array of resources must be brought to bear to thwart data breaches and cyber-attacks. For many organizations, that means embracing cloud computing technologies, not shying away from them.
Internal concerns versus the fear of the unknown
With on-prem, you're going to spend a large amount of money building a relatively frozen platform.
AWS Senior VP
Do data centers and networks run by cloud providers feature a greater level of security than what most enterprises can achieve on their own? That's becoming the common conclusion. Charles Phillips, CEO of Infor, says his firm is moving clients into the cloud at an aggressive pace, and off-premise security concerns are no longer the issue. "In the old days, companies were more concerned about the public cloud not being secure," said Phillips. "Today, most of their security breaches are internal. They now view the cloud, particularly AWS, as more secure than their own facilities."
For many organizations, a poorly protected password, a lost mobile device, or a disgruntled employee is likely to be a bigger risk than any targeted attack from the outside. Internal policies and procedures to prevent internal breaches can be implemented regardless of where infrastructure is located. In fact, having a cloud provider involved may actually reduce the risks of an internal breach. First, the physical equipment is not accessible to employees. Second, cloud partners have a broad range of additional security features that provide better access management. And finally, a cloud-based solution may offer more options to minimize or shut down an attack swiftly and recover data if there is a breach.
So far, the track record for major cloud providers has been fairly good. Large scale data breaches, such as the problems with MongoHQ, have been the result of inadequate security measures at the vendor level rather than a failure on the part of Amazon. In another widely publicized incident, hackers used AWS as a platform from which to launch cyber-attacks on Sony while AWS itself was not breached. There have also been disclosures of potential security issues with the major cloud players. For example, German researchers exposed the fact that AWS was vulnerable to techniques such as signature wrapping and cross site scripting in 2011—a problem AWS moved quickly to fix. However, neither AWS nor IBM has experienced a substantial cloud platform security breach in recent history.
Closing the technology gap
Enterprises are starting to seriously consider the cloud as a viable option because they've realized that security is a battle they can't win on their own. They need to call in reinforcements. Andy Jassy, Senior VP of AWS, spoke frankly at the recent AWS Summit in San Francisco about the fact that today's businesses simply can't keep up with the pace of change. Even with a substantial investment, their infrastructure is outdated by the time it is completed. "With on-prem, you're going to spend a large amount of money building a relatively frozen platform and implementation that has the functionality that looks a lot like Amazon circa 2010," said Jassy. "It will improve at a very expensive and slow rate vs. being on something like AWS that has much broader functionality, can deploy more people to keep iterating on your behalf, keep evolving and improving the technology and platform."
What benefits do major cloud providers bring to the table? They can offer a three-pronged innovation strategy. First, these companies employ a huge team of experts who understand the complexities of cloud security and keep an eye on emerging threats. Second, they support a vast ecosystem of vendors that are continuously innovating and providing new solutions on the cloud platform. Finally, a cloud provider's own clients bring their concerns to the table, so all customers benefit from the remedies that are developed as a result. When it comes to cloud security, there may well be safety in numbers.
What strategies do you have for securing your cloud based resources? Let us know.
19 May 2014