These days, data security is a top concern for almost every company. A single incident could mean significant financial losses, whether it is unauthorised access to confidential data, modification of business data or the theft of intellectual property.
But actually, these financial losses could be the least of your problems if you start to consider the potential sanctions for non-compliance with existing legislation or the damage done to your corporate image. A lack of data security could mean a significant loss of consumer trust, revenue and capital.
So, given the importance of data security today, in this article, we are going to take a look at the security benefits of using the cloud when compared to more traditional on-premises solutions. Put another way, we’re going to explain why the cloud is more secure than an on-premises server.
Before we get too far ahead of ourselves, it’s important for me to say that we’re only going to take a summary look at these benefits and understand the basics today. We will come back to them in future articles to go into more technical detail.
Also, let’s make sure we’re all on the same page by saying that this article is directed at small and medium-size enterprises that are considering migrating to the cloud.
These types of businesses don’t have huge budgets to spend on expensive IT architecture, let alone high-tech security measures, and often misjudge the sizing of their infrastructure for those occasional spikes in demand on the system.
The first thing that we need to underline is that, whenever we talk about security on the cloud, it is important to remember that not all security measures are the responsibility of the service provider. There will always be some aspects that we have to take care of as customers. This is what is usually termed the shared responsibility model.
The shared responsibility model is based on identifying who manages which resources, the provider or the customer.
To do this, the first thing we need to do is establish which type of cloud we are working on.
Let’s remember that there are four basic service models, ranging from using the business’ own infrastructure to outsourcing all infrastructure using the public cloud:
As we move down this list of service models, the provider gradually takes increasing responsibility for security in accordance with the services they provide. However, there will always be aspects that the customer will remain responsible for.
As you can see in the image below, the management of customer devices, data or identities will always be the customer’s responsibility. They need to take charge of managing them and, above all, keeping them up to date with regard to security updates, patches, etc. Furthermore, the identity infrastructure will always be managed by the customer, regardless of the chosen service model.
Image. Comparison of different shared responsibility service models
Now that we understand the different types of cloud service models and that not everything is the provider’s responsibility, we can start to look at the advantages of using the cloud when it comes to data security.
The first thing that any IT manager needs to consider is where their hardware is physically going to go, whether it’s servers, storage cabinets or communications equipment.
The technical room or Datacentre is an extremely sensitive place that needs to be kept highly secure. This room should be a separate room dedicated solely to IT infrastructure and should have restricted access. It should at least be kept locked with a key that only IT staff have access to. However basic this might sound, it’s something that many companies don’t do. Obviously, if your infrastructure is on the cloud, your cloud provider will have multiple different access controls, starting from the entrance to the building right up to the physical machines themselves.
Another point to consider is service continuity. All servers require a number of support systems, such as climatisation systems (to keep the hardware at a safe operating temperature), an electrical connection, a fire extinguishing system and various data links that connect the business to the internet.
Almost every company has these services installed, but are they enough? Do they have several data lines in case the main one fails? Are the servers capable of balancing the service? Do they have a backup climatisation system in case the main one fails? Do they have redundant electrical supplies in case of a power cut?
The answer to most of these questions is normally “No”. And this is usually due to a lack of funds.
By comparison, a cloud service provider has servers housed in data centres that boast appropriate climate controls and emergency systems. They will have redundant electrical supplies and contingency plans that allow them to keep their services running even in the case of a power cut or an external incident. This will be the case for all the other support systems that IT infrastructure tends to require.
Perimeter security is the first line of security when setting up a data centre, and even though many companies invest a significant amount in this, their perimeter security is often not enough to keep hackers out. In general, a small or medium-sized business is only really able to afford a firewall with limited functionality, and they won’t be able to update it or replace it as often as needed. By comparison, for a cloud services provider, providing these types of IT services is the core of its business model. Providing secure, functional environments is fundamental for the success of their business and they therefore cannot afford to neglect appropriate investment in security.
When it comes to intrusion detection and protection systems, there are few companies that can afford to deploy and maintain these types of systems themselves
With the on-premises model, businesses often need to obtain a return on investment. This means that many companies end up running different services side by side on the same system, and this can pose security risks. With the cloud model, since the customer is only paying for the services they use, as and when they use them, these services can be kept separate on appropriately sized systems. This compartmentalised model makes it easier to manage access permissions and is more secure.
Many attacks on companies don’t actually come from the outside. They are often the result of internal errors or carried out by disgruntled employees, and this can pose a serious risk if multiple systems are hosted on the same infrastructure. The cloud model, on the other hand, allows much greater segmentation of resources, providing users with access only to those resources that they need to carry out their day-to-day tasks.
Data Storage and Security Copies
Turning to data cabinets or shared storage, the same thing happens. Companies often invest significant sums of money in their data storage systems and need to get the most out of it. However, since systems often require double the investment in order to set up backup systems, these systems often don’t have any backup at all.
The cloud model often involves the use of multiple different types of storage that can be combined according to the company’s needs. This includes having redundancy, being able to make security copies and, of course, having access controls to prevent business data from being compromised.
This brings us geographic redundancy. For most businesses, setting up their own data is very complicated. So, setting up a second one as a backup is likely to be almost impossible. And on the rare occasion that a business does have a backup datacentre, it is often located far too close to the original datacentre. Why is this a problem? Well, we could list numerous real-life examples of this, but we’ll give just one illustration of why this is not such a good idea. One company, which shall remain anonymous, previously had their main data centre located in one of the towers of the World Trade Centre in New York. Their backup datacentre was located in the other tower. Obviously, both data centres disappeared as a result of the attacks on 11 September 2001.
By comparison, cloud service providers host their redundant services in different data centres that, generally, are a long way away from each other, in different cities or even different countries. This way, they can guarantee continuity of service even if there is a serious incident.
As a general rule, all systems need updating to provide the best possible service and optimise efficiency. Such updates often include security updates that help protect systems against new and emerging online threats. With the cloud model, the provider is responsible for updating all their systems, meaning that you won’t have to worry about a thing. Of course, as we have already mentioned, there will still be some things that you need to manage yourself that you will need to bear in mind.
Finally, we need to talk about something very important – Regulatory and Legal Compliance. These days, businesses need to have certain certifications and comply with particular security legislation in order to provide services to customers or work with public organisations. Some of the most common include ISO/IEC 27001, ISO/IEC 22301 or the GDPR (General Data Protection Regulation).
In general, cloud service providers already have these certificates and can provide businesses with everything they need in order to ensure compliance with data and security legislation.
Having these certificates can have the following benefits for a business:
- Providing guarantees to customers: Helping to inspire confidence in customers and stakeholders.
- Competitive advantages: Having these certificates helps improve the company’s professional image.
- Aids business growth: Complying with these regulations means you will be compliant in a range of different countries, making it easier to expand your brand internationally.
- Brand protection: Should there be a case of data theft, a security breach or some other incident, the business will be able to demonstrate that it has taken all reasonable steps to protect data, thereby protecting its brand image.
- Compliance: By complying with ISO/IEC, compliance tends to be guaranteed for other local legislation, preventing sanctions from government bodies.
Conclusions. Why is cloud more secure?
In an increasingly digital world, businesses are having to make significant investments in their IT systems to keep them secure, and this investment tends to be long-term. For most companies, this is unrealistic, and many can find themselves poorly protected against attacks in the short to medium term.
However, opting for a cloud services provider, security and stability is a core part of the service and key for the success of the provider’s business. Therefore, they tend to invest large amounts of money to keep their services secure, compliant and reliable.
As a result, the best way to manage risk is to transfer systems to a cloud provider that can guarantee not only security but legal and regulatory compliance.
We hope you have enjoyed this article. As you can see, there are many advantages to using the cloud instead of an on-premises solution, and they are definitely worth bearing in mind when making a decision for your business.