This isn’t the first time this has happened. In 2017, a data breach at Equifax affected about 148 million of its consumers, or about half the U.S. population. Hackers made off with Social Security numbers, birth dates and addresses—enough information to steal a person’s identity. The culprit? An unpatched vulnerability in Apache Struts, used to support an online dispute portal.
Who could have predicted that a little worm could cause billions of dollars in damages? Probably not businesses that were using on-site computing in May 2017. That’s when the WannaCry ransomware cryptoworm attack hit PCs in countries and business around the world. The worm wiggled past older Window systems where IT security administrators had failed to apply Microsoft patches and took advantage of backdoors on infected systems. The attack is estimated to have affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars.
Still, couldn’t this happen in the cloud as well
It’s unlikely. Today public cloud adoption is over 90% and IT pros firmly agree—cloud security is preferred over on-premises operations for protecting data and systems. Here’s why:
Most security mistakes are in-house
Gartner predicts that 95% of cloud security failures from now until 2020 will be the customer’s fault. The biggest cloud security threats for most companies result from in-house staff mistakes, lack of patching and misconfiguration. For example, Symantec says so-called phishing rates are growing across most industries and organization sizes, and that 76% of businesses reported being a victim last year. The challenge exists not in the security of the cloud itself, but in the policies and technologies for security and control of the technology. Portions of the cloud stacked under customer control can still be made vulnerable by inexperienced users with poor cloud “hygiene,” prompting widespread security or compliance failures.
A locked door isn’t enough
We all know that businesses still rely on legacy systems today, often using them in tandem with cloud infrastructure and backup and recovery services. But these on-premises systems are increasingly vulnerable to hackers. In many offices, the only thing between IT equipment, data and bad actors is a locked door.
Another issue that plagues on-prem security is a skills shortage. A new report from McAfee reveals that one in four organizations using Infrastructure as a Service (IaaS) or Software as a Service (SaaS) have experienced cybersecurity threats that compromised some data. One in five were infiltrated by advanced attackers targeting their public cloud infrastructure. InfoWorld cloud expert John Linthicum goes as far as to say having poor talent is worse than not having the talent at all, and too many enterprises lack both the skills and experience for cloud security.
On-premises cloud security continues to be a huge drain on management time, attention and budgets. Today it’s no longer just a technology issue, but a business and brand issue as well. Corporate boardrooms tasked with risk management have been riveted by the impact of high-visibility attacks, with many CEOs and IT leaders losing their jobs. Smaller companies face an even bigger challenge as the security landscape continues to change at an incredibly rapid pace.
Public-cloud security means multi-layered security
Public-cloud security is a formidable adversary for hackers. First, public-cloud providers spend an enormous amount of resources and billions of dollars annually on making sure their services are secure.
Physical security is locked down at hundreds of datacenters worldwide with multi-layered protections, such as high fences, barbed wire, concrete barriers, physical security guards and security cameras. The computing infrastructure itself contains customized hardware and firmware components with built-in protections against distributed denial of service (DDoS) and the operational capacity to scale to the largest workloads.
Secondly, providers maintain large dedicated security teams staffed by top experts in information, application, network security and privacy. Google, for example, maintains strict data disposal policies where disks are logically wiped clean by authorized individuals and facilities are audited on a weekly basis to monitor compliance with the disk erase policy. Their security team is credited with discovering the Heartbleed bug—a serious vulnerability in OpenSSL that allows remote attackers to expose sensitive data—and implementing an “SSL by default” policy at Google.
Additionally, providers offer a variety of security tools that are available on demand, limiting upfront expenses and at a lower cost than in an on-premises environment. For example, AWS offers 17 optional tools ranging from compliance reports to key storage and management, as well as threat detection. AWS’s security certification and compliance list is awe-inspiringly long, and AWS is trusted to securely support more than 600 government agencies.
As users realize that many security controls they were responsible for are now managed by providers, public cloud becomes a more attractive, affordable option for transforming their businesses. Nonetheless, cloud security is a shared responsibility model between providers and customers. The question today is not about whether public cloud is secure or not, but whether organizations have developed an enterprise cloud strategy that helps them use the cloud securely.
At Nortal, we understand security is a No. 1 concern of customers moving to the cloud. We partner with both AWS and Google to provide the needed expertise to identify, develop and implement strategies that will better secure your public-cloud environment and your business.
To learn more about ensuring security, contact us.