Should We Stay or Should We Go?

“Look at them!
They go on and on migrating to the cloud
while we remain here in our nests.
Should we follow them?
Or should we stay here?
What would be the best?”
This is something that certain birds,
sorry,
certain firms that are still on-premises,
keep asking themselves
during the present era of colossal digital transformation.

Amazon Web Services,
Google Cloud Platform,
and Microsoft Azure are the cloud computing platforms that,
in recent years,
have been leading this growing technological mutation,
hosting in their infrastructure
systems and data of companies of all types and sizes worldwide.
These IT Goliaths have been persuading organizations
to migrate from on-premises or in-house environments to the cloud
by offering benefits such as increased computational power,
speed, data storage, scalability, and cost reduction.

However,
many companies are still reluctant
to migrate entirely or partially to the cloud,
which can sometimes be well justified and sometimes not.
On certain occasions,
for some organizations,
although we could assume that they’re becoming fewer in number,
moving to the cloud may not be the best thing to do or may be unnecessary.
Factors such as the company’s size,
the industry to which it belongs,
its IT operations, economic capacity, business goals,
and even its planning ability and discipline come into play here.
Yet,
staying on-premises because they are already used to working that way
or because they believe they could face more security risks in the cloud
may not be compelling justifications.
Let’s briefly compare the two environments.

On-premises vs. cloud environments

When,
as a company,
you have an on-premises infrastructure,
you must take care of acquiring,
installing, and maintaining your hardware and software,
as well as storing and protecting your data.
One of the benefits of this approach is being able to control
all components and operations of your systems,
including the security of your assets and sensitive data.
The disadvantage may be that
you must have the necessary tools and well-trained personnel
for proper maintenance.

Both monitoring and maintenance of uptime and security
in on-premises environments
must be performed around the clock.
You must always be aware of software updates and patches
and the status and protection of your physical infrastructure,
which can often become a huge burden,
especially if you can’t count on sufficient resources.
(This overload is quite appealing to cybercriminals.)
Holding total control in on-premises systems can sometimes even mean that
your company will focus more on keeping everything running and secure
than innovating in the marketplace.

Such a burden can be significantly reduced
when you migrate to the cloud.
Not having a corporate infrastructure to maintain there,
you can considerably reduce costs.
In the cloud environment,
there is no need for such a substantial investment in tools and staff.
Primarily because the big cloud providers have already invested
vast amounts of money
in state-of-the-art security methods
for 24/7 software and hardware monitoring.
They know that with such a ubiquitous service,
they cannot afford to be victims of successful cyberattacks.

However,
one of the most serious drawbacks regarding cloud security
is the so-called “shared responsibility model,”
which is sometimes misunderstood.
As we explained in a post focused on this model,
cloud providers in their services are mainly responsible
for complying with security requirements
at the infrastructure level,
for which they are evaluated and certified.
In contrast,
as the customer,
it is up to you to comply with security requirements for your data,
applications, or other systems
(this will vary depending on the service you purchased,
whether infrastructure-as-a-service, platform-as-a-service,
or software-as-a-service).

The point is that within the cloud,
you must continue to pay attention to your company’s security
(albeit to a lesser extent)
and ensure compliance according to your region and industry.
Not properly recognizing this responsibility
and not having changed the mindset
to understand the logic of this relatively new environment
represents a considerable risk.
In fact,
many breaches can occur simply because of misconfigured cloud storage settings.
However,
proper migration and configuration will likely guarantee a reduction
in your company’s attack surface.

If your company is part of the cloud,
your data resides on the provider’s servers.
Although they have invested heavily in security,
it is not wise to rule out the risk of someone
at some point
infiltrating one of their server environments and,
from there,
being able to extract and compromise information,
not just from one but from many organizations.
Nevertheless,
since many attacks,
such as phishing,
tend to occur through user workstations
and these are segmented in the cloud,
this helps avoid many access risks.
To contribute to the mitigation of your risk exposure in the cloud,
you will have to manage robust and advanced information encryption processes
for your company’s sensitive data.
Also,
it is recommended that you use multi-factor authentication,
limit access by IP address,
and, of course, choose a reputable and reliable cloud provider.

Apart from the above,
another disadvantage of the on-prem infrastructure is its limited scalability.
If,
at a given moment,
for instance,
you have a fixed number of servers
but temporarily require a little more storage or computational power resources,
acquiring a new server just for that purpose will surely not be cost-effective.
On the other hand,
if you are in the cloud,
you will pay for the resources and services you need on demand.
That is,
you can add or remove resources as required,
keeping in mind to avoid consuming more than planned
and consequential losses.
Here,
some companies’ problems arise
when they don’t have adequate forward planning and discipline
in managing these resources.

Finally,
another advantage of hosting your data and apps in the cloud is that
it provides data and network backup capabilities.
There,
your data is stored in multiple data centers,
so the failure in one of them will not impede you
from accessing your information;
that is,
it will not affect its availability.
Something similar happens in the case of servers.
Some cloud providers offer virtualized servers,
which allow easy migrations between them
when there are breakdowns in their operations.
In this regard,
the problem with on-premises environments is that
the work usually depends on a few physical servers.
So,
if these are damaged,
it can mean exorbitant losses.

Hybrid environments

When you want to take advantage of the cloud
but not abandon the on-premises infrastructure
or when you plan to migrate gradually,
there is another option:
hybrid environments.
The first case is very common among those organizations
that still rely heavily on total control over their sensitive data
and critical systems.
These are stored and maintained in the on-premises environment.
On the other hand,
those data and systems that do not comply with these privacy characteristics
are hosted in the cloud,
of which the company in question seeks to take full advantage
of its flexibility, agility and cost reduction.

Wherever you are, Fluid Attacks is for you

While we at Fluid Attacks advocate migrating to the cloud,
something we did years ago with our data and products,
we also recognize that it may still be unnecessary
or too complicated for some organizations.
Whether you migrate or not,
we want to emphasize that
continuous security monitoring is still your responsibility.
Whether you work on-premises or in a cloud,
hybrid, or even multi-cloud infrastructure,
you need to be fully aware
of your environment’s integrated and interconnected components
and their security vulnerabilities to remediate.

If you want to leave your most important data and systems on-premises
for the peace of mind it gives you to maintain direct control over them,
it is still wise to remember that
this material must be thoroughly reviewed to ensure its security.
Concealment in cybersecurity is not synonymous with privacy.
If you are in the cloud,
don’t forget your security responsibilities there:
Comprehensively understand the service offered by the provider,
fully evaluate your configurations
and constantly test the security status of your data and applications.

From Fluid Attacks,
with our automated tools, artificial intelligence and hacking team,
whether you are here or there,
we can help you fulfill your cybersecurity responsibilities.
Don’t hesitate to contact us.
Click here
if you want to start with a free trial.

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/on-premises-cloud-security/