We had it all wrong. When Salesforce and other SaaS (software as a service) services hit the market, we pundits talked about how cost savings over conventional installed software would drive public cloud market growth. Perhaps what we are seeing now is the primary driver for movement to the cloud: organizations want to leverage the cloud for security.
Can You Trust Cloud Providers?
Let’s start by going back in time. Not too far (no need for the Wayback Machine); just a few years. I was talking with a customer about cloud services when they asked me if I thought cloud providers were secure. I responded with three comments.
- Cloud providers know that their business depends on being secure. Otherwise, customers will not come and the ones that are there already will go away. You don’t keep frequenting restaurants that made you ill, do you?
- Cloud providers like Google, Microsoft, and Amazon employ hundreds of engineers each, whose job is to make their platforms secure. How many security engineers do you have on your staff?
- Cloud providers learn from security incidents that occur across all their customers. Microsoft said recently that they see 8 trillion security “signals” a day. How many security “signals” does your organization see each day?
It makes sense, then, to leverage the cloud for security.
Don’t Take My Word for It
The theory of the case is that cloud providers are incented by the market to be secure. What about the data? You’ll like this. According to a report in Dark Reading, penetration testing conducted by the security firm Coalfire showed that 19% of vulnerabilities found in cloud provider networks were considered “high-risk” while 35% of vulnerabilities in enterprise networks were found to be “high-risk”.
As an aside, 27% of the vulnerabilities found in cloud provider networks were due to insecure configuration. Even more reason to involve an experienced partner when you start a migration project to a cloud provider. (Clears throat)
Specific Ways You Can Leverage the Cloud for Security
Let’s review some specific things you can do to leverage the cloud for security. Here is my list.
- Migrate to Azure Active Directory. Active Directory holds the “keys to the kingdom” as they say. Hackers go after Active Directory because it holds data on user accounts, roles, and permissions for the organization. Moving to Azure Active Directory eliminates a big security target on your network.
- “Saas-ify” your applications. You have probably already done this for email. Now, look around and see what other applications you can “port” to a SaaS application. Expense reporting, travel planning, performance management and accounting are just some of the applications that have SaaS equivalents. Continue to replace your on-premise applications with equivalent SaaS services.
- Migrate your applications that don’t have a SaaS equivalent to a public cloud provider. Leverage the cloud for security by moving the “front door” for these applications to a public cloud provider. For instance, move a SQL Server-based application to Azure, where you can take advantage of SQL Services, or host the application as it’s currently configured.
Hollow Out Your Network to Make it More Secure
When I was a kid taking public transit to high school, I would keep a dollar or two of my bus money in my wallet and hide the rest in a secret compartment of my briefcase. That way, if someone tried to rob me while I was on the bus, I would only lose a buck or two. (What can I say? I lived in a rough neighborhood.)
Think about your network in the same way. Move anything that stores or generates confidential data or documents into the public cloud. The more you hollow out your network this way, the more you can leverage the cloud for security. You make your network a much less attractive target for hackers. And if you do suffer a breach, there is much less damage that you will sustain.
If you leverage the cloud for security, you still must do all the other demanding work to maintain a good security program. As we often say, there is no single stock-keeping unit for security and no panacea that is going to make you secure at every level. But if you leverage the cloud for security you will have taken a valuable first step to better secure your network.