The basic argument for Cloud adoption is that it is a better option than anything else, all things considered. Elements within the argument include that through the economies of scale Cloud service providers are able to provide better technologies and greater elasticity than any individual entity could obtain by itself. There's certainly a lot of truth in that point of view, but I feel that the "Cloud is better" argument has broken some risk antennas.
If you spend a bit of time looking into this, you wouldn't conclude that Cloud is better come what may. Undoubtedly, the top tier providers such as AWS, Google and Microsoft, operate at the cutting edge of operational security, but lower down the ladder, is that still true? I don't think so. Cloud service providers include not only the great, but everything through to mediocre and down right terrible. Being a Cloud service provider doesn't automatically constitute security greatness.
Even if we use the top tier providers, we do not benefit from a guarantee of security. For example, often there is some kind of third party "integrator" or "administrator" in the chain, who operates between the customer and the Cloud service provider. If their services are ropey, then everything is dragged down to their level. You know the adage: the chain is only as strong as it's weakest link. I've seen plenty of situations of top tier Clouds being rendered second rate - insecure - by second rate middlemen.
Also keep in mind that Clouds are a honeypot for every form of cybercriminal. One of the reasons is the concentrated nature of the environment. In a multi-tenanted Cloud, the cybercriminal can get much more bang for their buck because of the impacts in the blast zone. Why target a single, specific entity when you can snag a boat load of victims? The recent attacks on file transfer sites are a case in point. If you move into a concentrated Cloud, do so knowing that you're adding a target to your back.
Finally, remember that out of sight is out of mind. The reason why supply chain attacks are so prevalent and hard to manage is because they inject opacity and obfuscation into the mix. What do we really know about the quality of security in our supply chains, as in really really? There's no point of principle that Cloud is more secure than the alternatives.
The big lesson, then, is don't drink the Kool-Aid on Cloud somehow being on a different plane of security, compared to everything else. It's what you make of it and what you do with it that counts. The Cloud doesn't have a God-given right to be considered secure.
But have you fallen into the trap of thinking otherwise? Tell me, when you adopted the Cloud, where did you get your confidences from?
Addendum. I was surfing through some security articles and found this one, about Microsoft and their Cloud. Not pretty.
Comments