When concerns over cloud migration are discussed, it invariably brings up the issue of security and concerns over “will my data be safe out there somewhere and not totally under my control”. This was raised as one of the reasons people delay moving their business operations to the cloud during our recent Pulsion Talks series.
The purpose of this blog is to alleviate some of those concerns by looking at some real-world examples to illustrate why I believe the cloud is secure. Yes, there will always be risks but equally you could argue the risks are greater if you stick with on-premise solutions due to a misconception over cloud security. There is no argument over the benefits that can be gained by moving business operations to the cloud such as lower costs, flexibility, software updates, ability to work and access data from anywhere or on any device and the opportunity for increased collaboration with colleagues, particularly when the workforce is spread across multiple locations.
However, stacked against those benefits are some of the biggest concerns we hear on cloud migration such as loss of data, accessibility and cyber-attacks. All genuine concerns and reasons to look for more information to validate that the cloud is right for your business.
Can the benefits outweigh those concerns?
Let’s see through some practical examples if I can try to address the concerns and prove that when it comes to security, an on-premise solution will not be able to compete with large cloud providers such as Amazon, Microsoft and Google.
The UK Government 2019 report on Cyber Security Breaches points to a decline in security breaches, stating that approximately one third of UK businesses reported a breach of some kind. That may still seem a high number but the report goes on to explain that this is the lowest number they have reported. Indeed, the figure has reduced by 11% since the 2018 report. The reason put forward for this decline is that as awareness grows, companies are becoming more aware of the threats they are open to but very interestingly, one of the measures put forward as a reason for this decline is an increase in businesses migrating their data to the cloud rather than maintaining their on-premise solutions. That would indicate that the message is starting to develop that cloud solutions might be more secure than on-premise.
Another perfect example of a growing recognition that cloud is more secure is the US Federal Government plans to ramp up their cloud migration projects for their internal departments, putting cloud adoption at the heart of their IT Modernisation Strategy. This included moving the Department of Homeland Security to a cloud environment. Personally, I think if the Department of Homeland Security are happy to keep sensitive information on the cloud then maybe security shouldn’t be a huge concern or blocker to making the move.
One point to note is that cloud migration in no way means giving up responsibility for you own company data. For that reason, Amazon Web Services (AWS) deploy a Shared Responsibility Model which means:
- Customers are responsible for choosing how their data is handled IN the cloud; and
- AWS is responsible for the security OF the cloud
This means that customers decide how data is managed through choices on things like client or server-side encryption, platforms, operating systems and accessibility and AWS look after the security of the server on which the data is held. This shared responsibility model maintains a level of ownership for the data itself and how it is handled. This ensures anyone with a reluctance to give up full ownership can rest assured that they will be involved and make decisions on how that data is handled and who has access. Equally, anyone who thinks moving to the cloud devolves them of responsibility is wrong, there are still security measures organisations need to ensure are in place and that is what makes the AWS shared responsibility model a good example of ownership and accountability for security.
AWS places security at the heart of every offering to help you fully realise the speed and agility of the cloud
Despite more and more evidence to suggest that cloud is the best option, there are still reports which throw that debate wide open. Take for example, this article from BBC News in October 2019 which examines the issues around bank account accessibility and IT issues with banks as they reach unacceptable levels. One thing pointed to in this article is a concern over the increase in use of:
Third party providers of cloud services for computing power and data storage. The consequences of a major operational incident at a large cloud service provider, such as Microsoft, Google or Amazon, could be significant. There is, therefore, a considerable case for the regulation of these cloud service providers to ensure high standards of operational resilience
From this report, “cloud services stood out as such a source of systemic risk for the financial system”
While I understand the concerns raised in the article and the report, is it fair to highlight point the finger at the main service providers? It doesn’t state that these cloud service providers were at fault for the issues – it states that there is a concern moving forward of the risk. I would ask – is that risk real or perceived out of the sensitivity of this being about people’s money and rightly so, who wouldn’t be concerned about that. But who is at fault here? The banks themselves or cloud providers? The report doesn’t address that and if the issues have occurred due to internal system failure then surely that makes the case for cloud providers being more involved even greater. Regardless of who is at fault, there is no doubt that the two need to work together to improve current systems and ensure these issues are reduced to an absolute minimum to alleviate public concern. Don’t get me wrong, I’m not dismissing these concerns to help my argument and if I didn’t have access to my own money due to an IT issue with my bank, I would be as angry as anyone else but in spite of the findings of the report, I would still make an argument for cloud over internal systems – even for banks.
One final real world example is from an email verification tool company (yes, even in the world of GDPR they still exist). Verifications.io suffered a major data breach in early 2019 which resulted in the details of over 800 million people becoming widely available to anyone with the knowledge to access the database – it was wide open with no encryption or security. Articles around this state that the data was held across 4 databases, all located on one server. It doesn’t state where the server was held but I can guarantee that none of the big cloud service providers had any involvement in this or we would have known all about it. As soon as the breach was highlighted the data was removed and the verifications.io website quickly followed but by then it was too late. They did argue that much of this data was already in the public domain such as email addresses and social media accounts but that’s not much of an excuse when the numbers show the huge amount of data being readily available due to one company. A search today would show that the domain for their website is for sale, pointing to the fact that a lack of security has far reaching consequences for those responsible whom it would appear are now out of business.
That to me is the ultimate argument in favour of the cloud. It is in the interests of the large service providers to ensure your data is secure – they can’t afford the publicity if it goes wrong and for that reason they employ an army of experts to ensure risk is mitigated to as low as reasonably practical. No on-premise solution could ever meet that level of security, organisations simply don’t have the manpower or budget to maintain systems to the same level.
Nothing in life or business is without risk and a cloud solution will continue to have it’s detractors. My opinion though, is that cloud is the better option over on-premise. However, you need to consider what is best for you and weigh up the pros and cons of each to ultimately decide what you believe to be the best solution for your business.
Wherever you are in your cloud journey, speak to us and we will have an informal discussion to offer advice on the best way forward for you.