A decade or so ago, cloud computing was the hot topic in IT and related business circles. As with any emerging technology, people were skeptical and suspicious, and they had lots of questions about how the cloud worked, whether it was right for their organization, if their data was protected, and so on. As time passed, people became increasingly comfortable with the cloud and began to capitalize on its potential.
One major benefit of the cloud that was understood in its early years is that enterprises can leverage it to get their applications up and running faster, with more manageability, more scalability, less maintenance, and fewer IT resources. Yet despite this recognition — which helped propel the cloud industry beyond the $100 billion mark in just 10 years — there are still lingering misconceptions about deploying applications in the cloud. The most prevalent misconception being that the cloud is a less secure place to deploy applications than deploying them in a private, on-premises data center. Here's why this notion persists.
While this myth is not grounded in empirical evidence, people connect logically with the idea that things that are under their direct control are more secure than things that someone else controls — in this case, cloud providers. Many enterprises still invest heavily in their own data centers because they believe that running their sensitive business logic and placing their sensitive data in the public cloud means that others — whether rogue employees of the public cloud or other malicious actors — will have an easier time stealing their crown jewels. I get it.
The reality, however, is that the vast majority of the evidence proves the opposite is true. Most of the major system hacks and data leaks in the past few years have not been on data or business logic in public cloud deployments. With the occasional exception of misconfigured public storage buckets, almost all data leaks happen on infrastructure and software managed internally by enterprises, not by cloud providers. But even when presented with this information, the myth of applications being less secure in the cloud continues to hamper business and its subsequent growth.
By not deploying their applications in the cloud, enterprises are missing out on immeasurable advantages. There are obvious cost reductions for most businesses in moving away from owning and operating data centers. There is also significant business value in the flexibility that the public cloud offers enterprises. Public cloud providers significantly reduce the friction, time, and cost of building new functionality and applications, especially complex solutions that employ cutting-edge technologies such as data science, machine learning, artificial intelligence, and blockchain. How can people be made to see the light?
The industry is working hard to educate the masses in this area, but more efforts are required. Validated use cases for regulated sectors such as banking and healthcare are needed; simplification of certifications when building on trusted public cloud building blocks can help as well. Most importantly, a clear blueprint of what cloud-native application security is, and what it enables, is critical so that enterprise customers can have confidence that they are using the right tools and processes to avoid risk.
Additionally, the shift to more cloud-native application technology stacks — such as the move to serverless applications — can accelerate this process to improved application security. Enterprises deploying sensitive serverless applications that have adopted the right approach to minimize risk and maximize security are finding these applications to be the most secure applications they are operating.
Whether an enterprise is using it to deploy applications or store data, the cloud — believe it or not — is simply more secure and more reliable than servers run in-house. Like any other decision when it comes to adopting new technology, enterprises should do their homework when selecting a cloud provider, understand what they're offering, what their assurances are, and how they provide security. Once your enterprise makes the leap to deploying applications in the cloud, you'll wonder why it took so long and why you were so worried.
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.