Public Cloud: Definitely More Secure Than Your Own Datacentre
Headline too strong for you? Well, it was inspired by a couple of conversations this week that took me back in time to 2011 when I first joined Cloudreach, and the business world was a little more suspicious of cloud security.
What were the conversations?
Essentially, senior individuals at potential clients asked me "is the cloud really secure enough" for their production workloads. They felt they might struggle to get internal sign off from key stakeholders linked to security internally for moving workloads outside of the known and comfy world of their datacentre. Both clients were linked to Financial Services.
Surely that’s understandable?
Well, yes… and no.
Back in 2011, I went to meetings prepped to talk about the Patriot Act and to focus on discussing the datacentre security practices the major cloud vendors were following. 5 years on, and while Cloudreach will of course have to demonstrate appropriate governance being established during engagements, clients are in general less concerned about cloud security than they were. Significant trust has been built in the past few years, with major international enterprises running critical production workloads on the cloud being the norm – rather than the exception.
This is even becoming the case in more sensitive industries like Financial Services. We’re currently working with 5 organisations in this space, and all are deploying what would be regarded as "significant" workloads. This trend has been more notable since autumn 2015, when the FCA released clearer guidance giving Financial Services organisations the confidence that the cloud was "ok", and also with the FCA publically committing to AWS. Specifically, they stated there is: "no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules".
This inspires everyone from both large retail banks like CapitalOne, smaller challengers like Mondo and innovative teams like Stripe. The trend is the same – all are looking for the same thing: innovation in a sector which is ripe for disruption.
Go on then, explain why the cloud is more secure
As is the norm with my posts, when I talk about "the cloud" I mean "public cloud provided by AWS, Azure or Google". There are many other pseudo cloud offerings, and their security may indeed be somewhat worse than your datacentre (as noted in this previous post).
First up, it’s about scale. Do you really want to position yourself to compete with a technology business with a market cap of $300-600bn? The major cloud players have huge amounts at stake, and invest many multiples of most organisations’ entire IT budget, just on security. Can you attract the best from MIT, Cambridge and Stanford? No chance. These companies are security thought leaders and ahead of the curve, as a result of the talent they can attract and retain.
Side note: You should be expecting hackers to target your own data centre instead of AWS – it will almost certainly be easier for them.
Next up, their security is independently verified. Most companies will have a third party audit on an annual basis. Great. Do you have a list of audits that looks like this? Or this? The big boys are able to have 35+ independent audits active at any given time, and these lists are growing every year. Almost no one can compete with that – without huge investment which is impractical unless this is your core business.
The sophistication of cloud operating models has advanced significantly over the past few years. Documents like this one illustrate how one can persuade even the most ‘focused’ compliance team member that it’s possible to do things right in the public cloud. By working with the framework that AWS provide, it’s possible to create and operate a governance system tailored to the level of control your company needs.
Do you have end to end encryption enabled? Do you own the keys (if you want to)? If not, how long would it take you to set up? This is possible to achieve with simple configuration options in the major providers.
Are you 100% on top of your patching regime at the hypervisor layer? Honestly? The major vendors are, and will swiftly verify whether: a) action is needed and b) take action where applicable – keeping you informed of course. AWS are public about this data historically if you are interested.
For me, the tipping point for cloud adoption came around mid-2011, following the release of AWS "VPC" technology – including fully configurable private networks with security groups, access control lists, etc. I still talk to people who waste months of their lives opening firewall ports. Months. Why not just do this programmatically (with suitable change management)?
But the FBI/NSA/GCHQ/Other shadowy agency will take my data
Let’s be clear here: unless you encrypt your data properly at all stages of its journey, if the [insert shadowy agency] want your data, they’ll obtain it, regardless of whether it’s in your own data centre locked inside your premises.
The major cloud providers spend their lives turning down requests for data. Are your legal team braced for that battle? No chance. This is a hugely complex area. Are your data centres manned by a full time security team that could and would prevent law enforcement entry? No chance.
Yes. You still need to secure your systems! The cloud is not magic. While AWS/Azure can provide you with an impressive security framework, you still need to operate it in a secure fashion. You (or a partner) still need to control which ports are opened, where anti-virus tech is deployed, whether your operating systems are patched, etc. The major providers call this a shared responsibility model.
The security weak points move from being the datacentre, to being how you allow humans to make changes and the processes which govern these changes. What processes will you put in place to prevent your team from putting their AWS keys into a public GitHub repository, and to then limit the impact when they still do it, etc?
And yes, I concede there are still some badly codified local laws regarding certain data types and certain countries which preclude cloud deployment for now. Having said that, this is eroding over time.
With even the CIA adopting cloud computing, and the arrival of more and more "in country" datacentres from the major providers, it feels like we’ve reached that tipping point where data security concerns will stop being raised, no matter what the industry. I’ll let you know next year.