Public cloud security myths are most often attributable to a lack of understanding about how the cloud works and confusion about Cloud Service Providers´ Shared Security Responsibility Models. Unfortunately unjustified concerns have prevented many organizations from adopting the cloud and taking advantage of the benefits of the cloud.
Take the U.S. federal government for example. In December 2010, Vivek Kundra launched the federal government´s “Cloud First” policy, which had the objective of reducing waste and increasing efficiency. In the first stage of the new policy, the aim was to have each federal agency migrate a minimum of three workloads per year to the public cloud.
However, many agencies expressed concerns over public cloud security and storing data in the public cloud. Consequently, despite Kundra´s assertions that AWS and Google had better security practices than most federal agencies, very few mission-orientated workloads were migrated to the cloud – agencies choosing to migrate email systems and collaboration tools instead.
Federal Concerns Evolve into Myths
The Cloud First policy was not the only project to fail due to unjustified concerns about public cloud security. As the concerns of federal agencies filtered down to the public sector, some organizations accepted the concerns as truths, resulting in a number of projects being put on the back burner or shelved altogether. Ten years later, some public cloud security myths still exist.
“The lack of physical control over data makes our data insecure”
As Kundra asserted back in 2010, the physical controls applied by Cloud Service Providers are more robust than most public or private organizations can imagine. Cloud Service Providers are responsible for the security of the public cloud and implement multiple top-of-the-range security mechanisms to ensure the public cloud always remains secure.
“If we don’t connect to the public cloud, our data is at less risk”
Most organizations connect to the public cloud without even knowing it. One of the biggest cloud security risks is Shadow It – the unsanctioned use of cloud services and resources by Lines of Business; and such is the prevalence of Shadow IT, Gartner has forecast that “through 2025, 99% of cloud security failures will be the customer´s fault”.
“Single-tenant virtual private clouds are more secure than multi-tenant public clouds”
Single-tenant virtual private clouds and multi-tenant public clouds enjoy identical levels of physical and network security. The only difference between the two are that virtual public clouds run on dedicated hosts, whereas multi-tenant public clouds use logical content isolation to prevent resources used by multiple communicating with each other.
“Public cloud providers mine customer data”
With regards to this particular public cloud security myth, you have to ask yourself the question why Cloud Service Providers would risk their reputations by breaching customers´ trust. Furthermore, customers can prevent data mining by any source by encrypting data stored in the cloud and managing their own encryption keys.
“There are more data breaches in the public cloud”
In 2017, a security software vendor analyzed vulnerability scans from more than four thousand customers. Over a period of eighteen months, the vendor found that organizations operating exclusively in an on-premises environment were more than 50% more likely to experience a “security incident” than organizations operating exclusively in a public cloud environment.
Conclusion: Organizations Operating in the Public Cloud can be More Security Aware
Reflecting on the analysis of security incidents referenced above, the security software vendor classified an incident as any event flagged as a security threat that warranted further investigation. Subsequent investigations found that organizations operating exclusively in an on-premises environment were more susceptible to malware and botnets due to the lack of controls to mitigate against these threats.
The conclusion drawn from the research is that organizations operating in on-premises environments and private clouds experience more security incidents because they are not so security aware, while organizations operating exclusively in the public cloud may still have concerns about public cloud security, but put measures in place to address the concerns.