The basic argument from cloud enthusiasts is that Amazon, Microsoft, Google, IBM, VMware and other IaaS vendors spend much more on securing their systems than most organizations are able to do themselves.
Still, Arnette admits there are folks who “look at the world through a different lens” who believe the cloud is less secure than on-premises infrastructure – and it always will be.
Perhaps cloud pessimists have good reason. In 2014 CodeSpaces became a poster-child example of how not to use the cloud correctly. Hackers gained access into the company’s central AWS administrative and demanded a ransom. When it was not paid hackers deleted everything in CodeSpaces’ AWS environment. It was a dark day for cloud security. Some saw it as an example of why the cloud can be insecure. Others used it as a teaching moment.
But there are certain workloads that will likely never move to a public cloud. Some organizations for regulatory, compliance, safety or customer demand reasons require “air-gap,” offline data center operations – meaning no network connectivity into or out of the data center. By definition of what an IaaS is (delivered via an Internet connection) that would not be possible in the cloud, says Tim Prendergast, CEO of Evident.io, a company that specializes in securing AWS environments.
Mackenzie Kosut has worked in health care and finance, and he’s a big cloud user. Credit: LinkedIn
Most other workloads, even those in heavily regulated industries can, theoretically move to the cloud. Mackenzie Kosut has worked in health care and finance, and at both jobs has heavily used AWS. “For security it comes down to two core philosophies: Restrict access and encrypt everything,” says Kosut, now head of technical operations at Betterment – an online investment consultancy; he was formerly at Oscar Health in New York. Both have complied with HIPAA and FINRA regulations while running in AWS’s cloud.
Krishna Subramanian, chief operating officer at hybrid cloud storage vendor Komprise, and a former Citrix cloud manager, says tools that give customers the ability to manage encryption keys on their own premises has been a big advancement for security-conscious cloud users. AWS’s Hardware Security Module (HSM) is an on-premises infrastructure appliance that allows users to encrypt data on their own servers then store the keys to the encryption in the HSM, which sits behind their firewall. Only encrypted data is sent to the public cloud and keys never leave the customers’ premises.
Treadway, the CloudTP executive, says the whole discussion about which infrastructure is more secure could be missing the point. “Most security issues are not with the infrastructure,” he says. “They’re with the application.”
Sign up for CIO Asia eNewsletters.