Mythbuster: Which is more secure? Cloud or on-premise?
What’s your IT security like?
What are you doing about antivirus protection? What is your email, web and input security solution? What type of firewall do you have, and how robust are your firewall rules and perimeter security?
Have we lost you already?
If you’re like a lot of Kiwi SMBs, you may well think your data is best kept safely tucked up on premise, near you. For most, however, that’s a dangerous assumption.
Chris Maclean, from Maclean Technology, says on-premise security in SMEs tends to be unmanaged, with an appliance purchased from a vendor, configured and customised to suit, then left to do its job without regular updates and log checks.
“Without keeping the appliance updated, the customer isn’t getting the protection level they think they are,” Maclean says.
The best appliances are also often out of reach of the more modest budgets an SME will often apportion to network security, leaving SMEs without the benefit of the high-end intelligent features large enterprises use to analyse patterns and, crucially, prevent new attacks.
“The lower budget devices rely on matching known patterns,” Maclean says. “So they typically are not able to stop the newest attack methods. This means it’s doubly important to keep the patch levels up to date and continue to monitor the logs.”
Maclean says monitoring logs comes with its own expertise requirements, something an SME is typically not prepared – or able – to invest in.
“Most SME clients we talk to have some security measures in place, but still have gaps in their security.”
While there remains a persistent line of thought that the cloud is inherently less secure than on-premise, cloud providers need extremely robust and multi-layered security.
There aren’t many SMEs who invest in perimeter security for their site, have security guards on hand 24x7, enforce two-factor authentication, have multiple keypad controlled doorways into and out of their server room, and spend the money required to have the best possible security appliances money can buy.
“From a technology and social engineering of staff perspective, a cloud’s data centre is inherently much more secure than most SMEs,” Maclean says.
Even the ‘security by obscurity’ argument, which suggests cloud providers could potentially be more obvious targets for attackers, is flawed.
“Just like opportunistic thieves, most hackers prefer to go for the quick win,” Maclean notes. “It really isn’t that much harder for them to locate a smaller business with much weaker security, and breach that.”
In fact, the majority of breaches occur in the SME space and go largely unreported - unlike the rarer high profile attacks on well-known enterprises, which garner headlines.
Late last year Vodafone identified that 56% of New Zealand businesses experience IT security attacks at least once a year. Yet 20% of businesses with one to nine full-time employees admitted they weren’t investing in IT security at all.
Meanwhile MYOB’s Digital Nation report, released in April, shows losing access to data is a key concern for Kiwi SMBs, along with hackers gaining access to business data and losing control of data.
The cryptolocker ransomware which hit headlines last year was most successful against smaller businesses that hadn’t invested in the best possible edge security they could get.
“They’ve often been found lacking in their backup and DR as well, so have had to pay the ransom to get their businesses up and running again.”
Cloud providers meanwhile, have to prove their security, even before they launch a service.
“A cloud provider has the funding behind it to invest heavily in its security technology and apply it all the way from the edge, down to individual tenants.”
“It’s important that the platform we offer can maintain absolute, secure separation of customer data while being able to efficiently deliver compute from a shared platform,” Maclean says. “We couldn’t do this without purchasing the very best equipment available and having it configured by the very best engineers in the industry.”
On top of this, cloud providers typically have to architect their platform for keystone customers, which often means making sure the platform complies with independent security standards, such as PCI DSS for customers who hold credit card data; privacy law compliance and often, the standards of other countries when providing services internationally.
Cloud providers can give smaller businesses the enterprise grade security that is normally out of reach, due to costs, Maclean notes, and take away the complexity of managing security, enabling SMEs to get on with their own business.
“That’s where the efficiencies of shared – or hybrid – cloud platforms are realised.
“A small customer only has to pay for a small share of the security platform the cloud provider has invested in, but reaps the full functional benefits of it – pay a fraction, get it all.”