It seems to be fair game now to label cloud security as risky even though your data is likely safer there than on-premises. Credit: Ollyy / Shutterstock The recent discourse around the security of cloud computing in the banking sector, highlighted by Nicholas Fearn’s piece in the Financial Times, paints a somewhat grim picture of the cybersecurity landscape when it comes to banks moving to cloud computing. Not to pick on just this article, but I’ve seen this as a trend in the past few years, as the value of cloud computing has been called into question more and more. This is a change from just a few years ago when it was verboten to criticize “the cloud.” What happened between then and now? Enterprises saw the weaknesses of cloud computing platforms, such as costing too much and being difficult to leave. This made it okay to point out the issues with public cloud providers, and I’ve certainly done my share, even when it was not trendy to do so. Migration to the cloud is often portrayed as a double-edged sword. It offers significant benefits in terms of scalability, efficiency, and cost-savings while simultaneously exposing financial institutions to new vulnerabilities and cyberthreats. However, this narrative may oversimplify the complexities of cloud security and overlook the broader context of cybersecurity. Misconceptions about cloud security The notion that cloud computing inherently decreases security is a generalization that fails to consider the advancements in security protocols and practices within the cloud industry. The fact is vendors are spending much more on developing and deploying security systems for the cloud than they are for traditional on-premises systems. This increased spending is coming from the public cloud providers themselves as well as from builders of third-party security tools. Therefore, cloud security technology is normally much better than the on-premises options. Cloud service providers are acutely aware of their responsibility to maintain robust security. These companies invest heavily in security research, development of secure technologies, and compliance certifications that often exceed those in many other business sectors. In fact, the centralized nature of cloud services allows for quicker updates and more uniform implementation of security patches, a significant advantage over traditional decentralized IT systems. So, why are these articles being written? If you look at the architecture of public cloud providers, your data is sitting on clusters of physical servers, but you have no idea where those physical servers actually are. This uncertainty breeds a fear that security is going to be a problem since you can’t touch your servers. This is more of a mental perception than a true security problem. Technical skills are another basic root cause. The article points out that misconfigurations are the most common security threats to cloud-based systems. That, of course, is a human issue: People, not public cloud providers, are the ones who misconfigure security settings, and this allows breaches. Although you can’t really blame the cloud providers for that one, the industry does. Of course, the same threats exist with on-premises systems, perhaps more so than in the cloud. It’s just overlooked because scary security stories about cloud providers just seem more…well, scary. Misplaced blame? The article suggests that cybercriminals who exploit cloud vulnerabilities and misconfigurations are leading to increased risks. However, these issues can indicate broader challenges in the cybersecurity practices of the enterprises themselves rather than inherent flaws with cloud computing. It’s also important to differentiate between the security capabilities of various cloud service providers. Not all clouds are created equal. The major providers, such as AWS, Google Cloud, and Microsoft Azure, offer highly sophisticated security features that can be tailored to the needs of enterprises. Smaller providers may not offer the same level of security, which could skew the perception of risk when discussing cloud security in general terms. By the way, this does not mean that small providers don’t have effective security, only that there is not as much investment made in their security systems. Another aspect overlooked in the debate is the role of hybrid models where enterprises have both on-premises and cloud-based infrastructures. This approach allows enterprises to store their most sensitive data on private, on-premises servers while still enjoying the flexibility and scalability of the cloud for less sensitive operations. Lastly, the article touches on potential future threats from quantum computing, which could theoretically break current encryption methods. This is a future consideration that would affect all aspects of digital security, not just cloud-based systems. Trust me, cloud providers are already working on quantum-proof encryption methods to secure data against emerging threats. Although the security risks associated with cloud computing are important, it is crucial to keep a balanced perspective. I’ve never been an apologist for cloud computing platforms—or any other platform for that matter. When it comes to security, we need to understand exactly what the issues are and how they can be mitigated. Lately, public cloud providers have been getting a bad rap, perhaps for no valid reason. We can’t let that fog our evaluation of platforms to host our applications and data. Related content analysis Strategies to navigate the pitfalls of cloud costs Cloud providers waste a lot of their customers’ cloud dollars, but enterprises can take action. By David Linthicum Nov 15, 2024 6 mins Cloud Architecture Cloud Management Cloud Computing analysis Understanding Hyperlight, Microsoft’s minimal VM manager Microsoft is making its Rust-based, functions-focused VM tool available on Azure at last, ready to help event-driven applications at scale. By Simon Bisson Nov 14, 2024 8 mins Microsoft Azure Rust Serverless Computing how-to Docker tutorial: Get started with Docker volumes Learn the ins, outs, and limits of Docker's native technology for integrating containers with local file systems. By Serdar Yegulalp Nov 13, 2024 8 mins Devops Cloud Computing Software Development news Red Hat OpenShift AI unveils model registry, data drift detection Cloud-based AI and machine learning platform also adds support for Nvidia NIM, AMD GPUs, the vLLM runtime for KServe, KServe Modelcars, and LoRA fine-tuning. By Paul Krill Nov 12, 2024 3 mins Generative AI PaaS Artificial Intelligence Resources Videos