I have talked to organizations that haven’t yet moved into the cloud because of security concerns. They stay locked in their own data centers because they have a fear of exposing their systems and information to the outside world. This may sound counterintuitive to those that haven’t moved to the cloud yet, but you’re more secure in the cloud than you are in your own data center.
I’ll give you three reasons why this is true — and one big caveat to make sure it’s true for you. Read on or watch the short video I did on this topic.
1. Someone else is handling security of the cloud on your behalf.
Who is the someone else? The cloud provider. The cloud provider is responsible for securing all of the services they provide to you. This is called the shared responsibility model. You get the advantage of the cloud provider’s investment in talent and technology to make sure the services they provide to you stay secure. If that cloud provider is one of the big ones like AWS, Microsoft, or Google, I’ll bet their investment in security is bigger than yours. Unless you’re the U.S. Department of Defense. Because of the shared responsibility model, there’s a lot less for you to worry about because someone else is worrying about it for you.
2. You can allocate more resources to security in the cloud.
Since the cloud provider is securing some of the things you used to invest time and money to secure, you can reallocate your investment to securing the stuff for which you’re uniquely responsible: your code and your data. Invest more in your people. Add more security tooling. Create more automated security testing. Spend more time exploring different threat vectors and closing them off. It’s like getting free money to improve security.
3. Cloud-enabled capabilities can lower MTTR for vulnerabilities.
The cloud gives you the ability to respond to vulnerabilities much faster. Maybe put more accurately, the combination of the cloud, CI/CD pipelines, and infrastructure as code gives you that ability. The metric here is “mean time to recover” (MTTR). See the first point in an article I wrote on why you should go faster. With that combination of capabilities, you can make changes to your systems to remediate vulnerabilities and deploy those changes in hours or even minutes — not days or weeks. This combination also makes it easier to stay up to date on software versions, which also is a boon to security.
There’s one big caveat to all of this: you need the training and expertise to operate securely in the cloud. If you don’t know how to operate securely in the cloud, you risk misconfiguring services and creating vulnerabilities bad actors could exploit. Just like Dow Jones early in 2019.
Move into the cloud. Move thoughtfully. You’ll get lots of benefits from doing so — including being more secure.