Most enterprises today place security as a top priority and enabler, regardless of whether their business goals are to grow and transform or increase the agility and quality of service delivery of their organizations. Similarly, a clear majority of executives in private and public sectors agree that migration and adoption of the cloud is key to accomplishing the security imperative.
Figure 1: Source: Security in the Age of AI; A 2019 Survey of CxOs
While there may now be a broad and implicit understanding, as shown in the Security in the Age of AI report, that the public cloud is more secure than traditional data centers, it is nevertheless important to enumerate all the reasons why this is so.
- Cloud architecture is homogeneous
Terrestrial networks have substantial security risk in that they have become more complex as they have grown. They have been built over years and include many accumulated security technologies, more than twenty on average, that do not integrate with one another, do not share a common management and logging framework and may even impede one another on threat detection or enforcement. Network defenders of traditional data centers are at a significant disadvantage against today’s complex threats because their tooling and methods are dated relative to those of attackers. By contrast, public clouds are an innovation of the last decade. In building their data centers, cloud providers used the same blueprint and built-in security capabilities throughout their fabrics. The net effect is a reduced attack footprint and fewer holes to exploit since the application of security is ubiquitous.
- Public cloud providers invest heavily in security innovation
Most providers of public clouds have built the entirety of their business on the cloud platform. This means that not only do cloud providers give customers a hosting environment for their workloads, but that same IaaS platform hosts the PaaS and SaaS services that drive core businesses of the public cloud provider. As such, the protection of both the infrastructure and the cloud services is priority one and receives commensurate investment. Public cloud providers collectively invest billions in security research, innovation and protection. One has only to look at the researchers credited with finding vulnerabilities to see that the names of public cloud providers regularly appear.
- Patching and security management are consistent
Reading the latest security research from Verizon is clear that enterprises experience security breaches most often because of errors in configuration and unpatched vulnerabilities. Security administration and patching are extremely difficult in traditional networks. Critical systems may be hard to patch because they lack effective backups or good network isolation and security controls have no centralized administration point. Every security product has its own management console and with more than twenty onsite for the average enterprise, mistakes are assured to happen. Contrast this to public cloud, which by its very framework offers centralized mechanisms for patching and security administration. In fact, patching of infrastructure is most often entirely handled by the cloud provider without the need for customer intervention. Even when patching of virtualized operating systems and components are required by the customer, the tooling for doing this on a rhythm and schedule that minimizes disruption is built into the cloud. Similarly, with security policy and administrative controls, the sensors and enforcement points are built into the cloud infrastructure and the management console is integrated with the administration of the customers cloud estate.
- Security architecture changes are much easier
Part of the reason that security stacks on-premises are so complex is that changing vendors or tool types is difficult. The risk of disruption to operations is often so high that new tools are merely added to a chain of security products. In the public cloud, the commissioning of new capabilities is done as a service. New security capabilities are woven into the overall security architecture and cloud administration constructs. Customers can easily trial new capabilities in their own environments and assess the effectiveness and applicability of the tools. Most importantly, the customer’s cloud security architects can maintain a security design that is at its most efficient and effective by taking advantage of the latest advancements.
- Public cloud providers attract and retain top talent on cyber
To be sure the cybersecurity skills shortage is being felt by everyone in every vertical and every geography. Still, cloud providers invest heavily in early recruitment, training/re-training and retention of security professionals. By offering interesting and innovative work in the world of cyber and the training to build sought after skills, cloud providers make a very compelling case for candidates in a hyper competitive market.
- Continuous compliance assurance
Cloud operators must comply with the regulatory mandates, frameworks and laws of the countries in which they operate. By adopting public cloud IaaS for instance, customers are automatically the beneficiaries of deploying on an architecture for which the cloud service provider (CSP) has invested to earn certificates of compliant operation for the numerous standards and frameworks (ex. PCI, ISO, SOC, FedRamp, etc.) and for which the CSP will continually invest to maintain that authorization to operate. This is a substantial savings of resources and time for customers of the public cloud. Many operators provide evidence of their certificates as well as the reporting detail on how the authorization was earned giving customers visibility to the attestation and the means of compliance. Perhaps equally as important is the implementation of security assurance within the security operations of cloud providers. This ensures that once baselines are established, teams can work to maintain compliance through design, testing and implementation. DevSecOps is a mainstay within public clouds and it is a virtuous cycle of continuous security improvement where compliance is a natural outcome.
- Resilience to threats
Security incidents are a fact of modern digital life. In fact, they are so common, that security best practices call for assumption of compromise at every layer of design and protection. The key to networks and systems that are highly resilient to attacks is deployment of layered defenses, and the ability to respond and recover quickly to incidents and attacks. Tiered defenses create multiple barriers for attackers so that if they successfully break through one they encounter another and another. All the while, the progression of steps that attackers take to successful compromise or data theft, increase in time and difficulty. In traditional networks these tiered defenses can be inconsistent and varied depending on geography and age of the network. By contrast, cloud architectures are homogeneous, allowing for not only the uniform application of tiered defense but of continuous logging and monitoring. Ultimately, the very instrumentation to detect and respond to threats is a lot more pervasive and sophisticated, making the cloud for resilient.
So, if the cloud is more secure, then why all the headlines about data theft and compromise? That is the topic of our next blog post on security misconfiguration in cloud and what Oracle is doing about it. Learn more about Oracle’s Generation 2 Cloud at OpenWorld this week at my session, “Oracle Cloud End-to-End Security: An Overview of Gen2 Protections,” (session PRO5279) on Monday, September 16, 02:45 PM - 03:30 PM | Moscone South - Room 152A