Understanding the Differences Between On-Premises and Cloud Cybersecurity

The difference between managing cybersecurity in on-premises and cloud environments is not unlike playing traditional versus three-dimensional chess. While the tactics are similar and goals are the same — reduce risk, protect confidential data, meet compliance requirements, and the like — the cloud adds complexity that completely changes the dynamic. The cloud's architecture, lack of change controls, and subtle and not-so-subtle differences in various cloud platforms' basic design and operations make cloud security more complex.

While migrating to infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), software-as-a-service (SaaS), and serverless computing is well established, some veteran technical and management staff who were trained in on-premises environments still bring that operational bias to managing clouds. However, the nature of cloud environments means security and technical teams need a different mindset to understand and manage their new attack surface.

Three Clouds, Three Environments

Organizations often use multiple vendors' clouds, whether to meet specific operational needs, optimize price and performance, or access specialized capabilities. Most midsize to large organizations use two or more clouds (making them multicloud) in conjunction with on-premises servers and infrastructure (referred to as hybrid cloud).

Microsoft Azure is the popular choice if you're running Windows for your in-house applications. There is a natural gravity to move to Azure once it no longer makes sense to deploy more racks in your data center. If you are deploying large-scale Web apps, the natural affinity is towards Amazon Web Services (AWS), although Google Cloud Platform (GCP) is also attractive for these use cases. GCP is also known for its analytics capabilities (BigQuery), so some organizations use it exclusively as a data lake with advanced analytics.

To effectively protect every cloud environment, cybersecurity teams must be security experts for each one. But there is a disconnect between how much additional work people think two or three clouds should entail and the work it actually entails, as each cloud's attack surface is distinct. So, splitting your workloads across two clouds almost doubles the knowledge and work required compared to running all your workloads in a single cloud.

DMZ Differences

Another difference is that an on-premises data center has a well-defined demilitarized zone (DMZ) to protect external-facing services, while cloud environments mostly don't.

A physical data center has a clear (often physical) DMZ where multiple security controls and monitoring are implemented. There are clear pathways into and out of a data center that an adversary's command-and-control channel and exfiltration traffic would need to traverse.

In the cloud, the DMZ is more of a logical construct, and often the DMZ's reality does not align with the organization's mental model. It is not unusual for a scan to find unexpected holes exposing organizational data outside the environment. Chasing down and managing your DMZ requires specialized expertise that security architects who focus on on-premises networks may not have.

Leaky Cloud Services

Attackers can leverage many multitenant cloud services to communicate in and out of a cloud environment in a way that bypasses the tenant's network. A classic example is when an attacker breaks into an AWS environment and expands access (from the Internet or another AWS tenant) to an S3 bucket. You can't observe an attacker reading 10GB of content from the S3 bucket on the tenant's network; because it occurs in the cloud service provider's backplane, it is basically invisible to the tenant. If that same 10GB of content was exfiltrated from an on-premises network, it likely would be flagged and the security team notified.

If this were just about having the right controls for cloud storage services in place, it might seem like a manageable problem. But each service in the cloud has its own features and controls, and some may enable hidden external communication. Your cybersecurity team must be able to find all of them (not just the ones you intend to use) and have the necessary controls and monitoring in place.

Problems With Updates

Cloud providers make regular updates, such as adding new services, improving capabilities in existing ones, or changing a service's default settings. Even services you don't intend to use can expose you to risk, as attackers who have burrowed into your environment can leverage a leaky service to establish external communications. Or, the provider might change a service's default configuration from restrictive to permissive policies, blindly exposing you to risk. These are not just theoretical scenarios — attackers are already leveraging these capabilities.

Compare this to an on-prem data center, where you are in control of software updates. You would not install software that you did not intend to use, as it would expose you to more risk and more work. On-prem data centers tend to have the opposite problem: known vulnerabilities are not patched quickly enough. You might spend a lot of time and money deciding which software patches are critical so that you can reduce your attack surface to the greatest possible extent with the minimum possible number of software updates.

Protecting Your Cloud

Understanding the structural and operational differences between on-premises and cloud operations is essential. To start, while it may seem business-friendly to allow each business unit to choose its preferred cloud platform, each new cloud comes with substantial additional work to secure it.

Ignoring the risks, including training and staffing priorities, will expose you to threats when many advanced attackers are focusing on your cloud footprint. Today's innovative cloud attacks will be tomorrow's run-of-the-mill breaches.