Here is an IT executive. He (or she) is competent and professional. He has built a successful career based on making the right decisions after careful risk and reward analysis. He is not the first to embrace the bleeding edge. He likes to wait and see. Better to be second to market rather than to be first and fail.
This executive is excited about the cloud and its possibilities. He wants to learn more about this. But he’s not about to risk his reputation and that of his company by embracing the cloud too early. What if he moves sensitive data and applications to the cloud and there is a breach? Every day there is a new media story about cloud hacking. So our competent and successful CTO waits, and maintains all information on premise. What is wrong with this approach?
Everything, it turns out.
The argument about security and privacy issues in the cloud is a valid one. Yet, our IT executive needs to be educated around the real issues and the real risks. The cloud is more secure than traditional systems, and getting more and more secure every day, as technology advances. Maybe our wait and see executive is confusing control with security.
Even back in 2012 (ages ago in computer years), Alert Logic's Fall 2012 State of Cloud Security Report found that the variations in threat activity are not as important as where the infrastructure is located. Anything that can be possibly accessed from outside -- whether on premise or cloud -- has equal chances of being attacked, because attacks are opportunistic in nature.
The report further found that Web application-based attacks hit both service provider environments (53% of organizations) and on premise environments (44%). However, on premise environment users or customers actually suffer more incidents than those of service provider environments. On premise environment users experience an average of 61.4 attacks, while service provider environment customers averaged only 27.8. On premise environment users also suffered significantly more brute force attacks compared to their counterparts.
This is even truer when we jump forward to 2016. The truth is that the public cloud is more secure than the typical data center, and IT would get better security if it got past its prejudice against the cloud.
Of course, because IT manages its own data resources, it believes it's doing a better job than other people might -- especially “those people” at those cloud services where security practices are opaque.
But this is simply not true. Cloud providers have better security mechanisms in place and are more attentive to security risks throughout their entire stack.
What public clouds bring to the table are better disaster prevention and business continuity services. The cloud providers are much better at systemic security services, such as looking out for attacks using pattern matching technology and even AI systems. This combination means they have very secure systems.
It should be no surprise that the hackers move on to easier pickings: on premise data centers.
The on premises systems that IT manages is typically a mix of technologies from different eras. The aging infrastructure is often less secure - and less securable - than the modern technology used by cloud providers simply because the old, on premises technology was designed for an earlier era of less-sophisticated threats. The mixture of different technologies in the typical on premises data center also opens up more gaps for hackers to exploit. Because on premises systems are aging, their intrinsic security can be easily defeated by hackers. Moreover, the number of attacks increases weekly, and defenses need to be proactive -- more proactive than most enterprise IT organizations are capable of.
So, wait-and-see IT executives really need to act now and move to the cloud. Because sometimes being afraid of risk is the riskiest option of all.