The RightScale State of the Cloud Report found that the number of cloud users who cite security as a significant challenge decreased from 38 percent among those least experienced in cloud to just 18 percent among the most knowledgeable. The perception of cloud security as a showstopper for enterprises that are considering a move to the cloud has mostly disappeared, according to several cloud industry thought leaders we spoke with during the recent RightScale Compute conference.
Early adopters of the cloud computing model had to fight the perception that no Infrastructure-as-a-Service (IaaS) provider could be as security-conscious as their own organizations. Over the last several years, as public cloud providers have gotten better about communicating their security features, that view has changed, according to the cloud strategists we talked with.
Many of our large enterprise customers have a basic understanding that cloud is a technology like any other, and that it can be as secure (or insecure) as their internal data centers. For most organizations, the conversation is not about “Is cloud secure?” but more appropriately “How do I secure the cloud I’m using?” While this may seem to be a trivial change, it is a fundamental shift that has happened in the last year.
Public Cloud Security Has Matured
Recent developments such as the introduction of AWS CloudHSM, AWS’ use of VPCs by default for users when they first provision Amazon EC2 resources, and the newly announced automatic encryption of data on Google Cloud Platform have demonstrated a new level of maturity in the cloud security arena.
When we asked cloud industry thought leaders for their opinions, Peder Ulander, vice president of product marketing for cloud platform at Citrix, said flat out, “The perception of public clouds being insecure has gone away.”
Indeed, said Brian Goldfarb, head of cloud platform marketing for Google Cloud Platform, today it is more about having “comfort in the system … and less about the security itself.”
Duke Skarda, CTO at SoftLayer (which was recently acquired by IBM), said, “Security in the public cloud has really come a long way in the way that the public understands it. In lots of ways security problems didn’t exist — they were in people’s heads. As people understand the way the cloud works, they’re becoming more comfortable with it. As service providers, we’re also getting better about explaining how we protect our customers’ data and how we protect our network from attack.”
“Security has been a challenge for public cloud service providers in the past,” agreed Vanessa Alvarez, head of marketing at Scale Computing. “Today most public cloud service providers have addressed their security challenges and have brought in their enterprise customers to become a part of that responsibility. Security is a shared responsibility.”
Like Your Data Center, Only Different
Security in the cloud is following the same path toward acceptance that other technologies have faced. Many of the early concerns about security in public cloud are more about a lack of familiarity with how public cloud security works, or a resistance to looking at security solutions in a different way. Today security in the cloud is becoming more a matter of confidence than a technical problem.
Steven Martin, general manager for Windows Azure, said, “Everyone remembers the first time they pulled out their credit card and bought something on the Web. You were a little nervous, but over time you got used to it and understood the precautions that were being taken. We’re doing the same thing for cloud computing for the enterprise side.”
Brian Parrish, president of CloudSocium, echoed that thought, “Security maturity in the cloud is not that different from security on traditional hosts — it just takes a different mindset. You’ve got to get over the fear of not owning the equipment. Other than that it’s the exact same concerns.”
Cloud strategists talk about cloud security
And for those enterprises that still have doubts? Scott Sanchez, director of strategy at Rackspace, said, “Security in the public cloud is just something that customers are going to have to get comfortable with. They really need to embrace the change
brings in the model of computing for their applications. Compliance and regulatory will take time to catch up to the pace that technology has innovated.”
The Biggest Threat Might Be Your Applications
While all the tools are there to make your clouds as secure as your in-house platforms, you still need to take the same care with your architecture and your applications that you would with infrastructure running on-premise. Leaving a network port open or failing to observe coding best practices can expose your cloud to security risks, just as they can for in-house deployments.
“Security in the cloud has never been about ‘How secure is that cloud?’ It’s about the maturity of the organization using it,” said Justin Pirie, cloud strategist at Mimecast. “We advocate customers do good risk and compliance on the type of data they’re looking to put in the cloud and the protections that that cloud offers that data. If they match up, that’s great. If they don’t, it’s a risk decision that the business — and not IT — needs to take about what to put in the cloud.”
Despite the increased level of comfort with security in the cloud, enterprises should not be complacent. Dave Nielsen, principal consultant at Platform D, said, “We’re seeing real threats from hackers, and other types of data theft.” But he explained that it’s “because the application developer has made a mistake — not the infrastructure provider. I see a lot of effort to help the applications themselves protect the data from hackers.”
To hear everything these cloud experts have to say about cloud security, watch the five-minute video. We help enterprises manage and secure cloud applications and infrastructure every day, so if you have questions regarding security in the cloud, give us a call.