Public Cloud: Security Strained by Complexity

Cloud computing is the single most important technology trend of the last 15 years, having a profound effect on many parts of IT. And as we enter 2018, cloud will emerge as a mature technology. In its report, “Cloud Computing Accelerates Enterprise Transformation Everywhere,” Forrester predicted that 2018 will be the year that more than 50 percent of all enterprises will be using public cloud for at least some aspect of their businesses.

Forrester also made predictions relating to cloud security, an area the research firm sees as a growth market. Spending in this area is growing rapidly, and major vendors—including Symantec, Microsoft, Cisco Systems and Oracle, to name a few—are setting up a scrum, buying up cloud-security companies and positioning themselves to compete. Forrester expects spending on cloud security products and services to reach $3.5 billion annually by 2021, with an annual growth rate of 28 percent over the next five years (as reported in “Cloud Security Solutions Forecast, 2016 to 2021”). Cloud security is one aspect of cloud computing that is not mature.

The conventional wisdom is that public cloud is highly secure; vendors have too much at stake to risk compromising security. But public cloud is not secure. Many experts might take issue with that statement. But the debate would be semantic. Public cloud vendors don’t secure your data, they secure their infrastructure. There is little doubt that the name-brand public cloud companies do a good job of securing their infrastructure. But cloud by its very nature introduces risk: The points of connection that extend outside your enterprise and outside the cloud facility are not protected by perimeter defenses. They are vulnerable potential points of entry. The more complex your cloud network is outside of your perimeter boundaries, the more risk you face.

The heart of the problem is data. It’s true that public cloud products from Amazon, Microsoft and other vendors have numerous features that help IT customers secure their cloud environments. All things being equal on how well they are managed, there’s no reason why a public cloud installation can’t be at least as secure as an on-premises one. And if you abandon your on-premises data center and move everything to the public cloud — assuming you fully understand that public cloud security is a shared responsibility between the cloud provider and enterprise customer — then strangely enough, managing security actually could become easier.

With Public Cloud, Secure Your Data

Most larger enterprises are, however, running both public cloud and an on-premises data center. The issue for those organizations is the sheer number of locations where their data is stored. Your applications may need access to that data. Your employees may need access to it. Suddenly the complexity of systems has snowballed; you find yourself with a hybrid cloud without having thought much about it and your data security and access controls need to be well-considered. If you back into this, security may suffer. So, public cloud isn’t inherently less secure; it’s just effectively less secure for many enterprises. Complexity is the enemy of security.

In 2018, a larger number of organizations will be grappling with these issues. It’s also quite possible that we will see a large publicized example of a public cloud breach.

Scot Finnie

Avatar photo

Scot Finnie

Scot Finnie is an award-winning business and technology journalist, reviewer, columnist, editor, and manager. He was the editor-in-chief of Computerworld for 10 years. He's been a Windows and macOS operating system expert for two decades. He torture-tested laptop PCs. Was ZDNet's first editor.

scot-finnie has 14 posts and counting.See all posts by scot-finnie

One thought on “Public Cloud: Security Strained by Complexity

Comments are closed.

Secure Coding Practices