The recent discourse on cloud computing security in the banking sector, highlighted by Nicholas Verne's article in the Financial Times, paints a rather bleak picture of the cybersecurity landscape when it comes to banks moving to cloud computing. I don't mean to just pick on this article, but I've seen this as a trend in the last few years, where the value of cloud computing is becoming more and more questioned. This is a change from just a few years ago when criticism of “the cloud” was taboo.
What happened between then and now? Companies have noticed weaknesses in cloud computing platforms, such as high cost and difficulty in leaving. This made it acceptable to point out issues with public cloud providers, and I certainly did my share, even when it wasn't fashionable to do so.
Migration to the cloud is often portrayed as a double-edged sword. It offers significant benefits in terms of scalability, efficiency and cost savings while simultaneously exposing financial institutions to new vulnerabilities and cyber threats. However, this narrative may oversimplify the complexities of cloud security and ignore the broader context of cybersecurity.
Misconceptions about cloud security
The idea that cloud computing inherently reduces security is a general one that does not take into account developments in security protocols and practices within the cloud industry. The reality is that vendors spend much more on developing and deploying security systems for the cloud than they do on traditional on-premises systems. This increased spending is coming from public cloud providers themselves as well as from third-party security tool builders. Therefore, cloud security technology is usually much better than on-premises options.
Cloud providers are fully aware of their responsibility to maintain strong security. These companies invest heavily in security research, development of secure technologies, and compliance certifications that often exceed those in many other business sectors. In fact, the centralized nature of cloud services allows for faster updates and more consistent implementation of security patches, which is a huge advantage over traditional decentralized IT systems.
So why are you writing these articles? If you look at the architecture of public cloud providers, you'll find that your data resides on clusters of physical servers, but you have no idea where those physical servers actually reside. This uncertainty generates a fear that security will be an issue since you cannot touch your servers. This is a mental perception rather than a real security problem.
Technical skills are another primary root cause. The article notes that misconfigurations are the most common security threats to cloud-based systems. This is, of course, a human issue: people, not public cloud providers, are the ones who misconfigure security settings, and this allows breaches. Although you can't really blame cloud providers for this, the industry does. Of course, the same threats exist with on-premises systems, perhaps more so than in the cloud. This has been overlooked because the scary security stories about cloud providers seem more… well, scary.
Misplaced blame?
The article notes that cybercriminals exploiting vulnerabilities and misconfigurations in the cloud create increased risk. However, these issues could point to broader challenges in the cybersecurity practices of organizations themselves rather than inherent flaws in cloud computing.
It is also important to distinguish between the security capabilities of different cloud providers. Not all clouds are created equal. Major providers, such as AWS, Google Cloud, and Microsoft Azure, offer highly sophisticated security features that can be customized to organizations' needs. Smaller providers may not offer the same level of security, which can skew the perception of risk when discussing cloud security in general. Incidentally, this does not mean that small providers do not have effective security, but rather that there is not a significant amount of investment in their security systems.
Another aspect that has been overlooked in the discussion is the role of hybrid models where organizations have both on-premises and cloud-based infrastructure. This approach allows organizations to store their most sensitive data on local private servers while still enjoying the flexibility and scalability of the cloud for less sensitive operations.
Finally, the article discusses potential future threats from quantum computing, which could theoretically break current encryption methods. This is a future consideration that will impact all aspects of digital security, not just cloud-based systems. Trust me, cloud providers are already working on quantum-resistant encryption methods to secure data against emerging threats.
Although the security risks associated with cloud computing are significant, it is essential to maintain a balanced perspective. I've never been an advocate for cloud computing platforms, or any other platform for that matter. When it comes to security, we need to understand exactly what the problems are and how they can be mitigated. Recently, public cloud providers have gotten a bad reputation, perhaps without good reason. We can't let that cloud our evaluation of the platforms that host our apps and data.
Copyright © 2024 IDG Communications, Inc.
