I spent last week at the RSA security conference in San Francisco, and I came away more convinced that the cloud is your best security bet.
I learned security is very much about determining the probability of an attack and putting your resources toward protecting those areas that are the most likely to experience an attack. That's because most organizations simply can't afford to protect everything and run a profitable business.
The same goes for post-breach analysis. Even if your security tools show that an employee has clicked a malicious link, it's still about determining the likelihood that the move will materially threaten your networks or your intellectual property and deciding if some sort of remediation is warranted.
So far at least, the cloud vendors have been doing a good job of keeping their systems safe. As Troels Oerting CISO, Barclays, put it during a panel discussion on the 2020 data center last week, those times that the cloud has been breached — as happened in the Sony hack — it was the customer (Sony) that was at fault, not the cloud vendor.
"I still have yet to read about a cloud company being breached. It's always the owner of the data who is breached," Oerting said.
That means that in spite of handing over your data to the cloud vendor, you share the responsibility for making sure your connections to your cloud services are secured.
Taking security seriously
The thing to remember is what we haven't seen to this point is a hacker getting inside a cloud service and moving laterally to get content from a variety of customers. Never say never, but it hasn't happened yet.
Box CEO Aaron Levie told The Wrap last fall that's because cloud companies like Box, Amazon, and Salesforce have architected their technology to have security at the core of what they do. In addition, Levie said if you update your infrastructure and architecture to a more modern IT model, it gives you better control of your data and a better shot at being secure.
It doesn't guarantee you won't be hacked, but it certainly puts you in a better position than those companies operating off of legacy platforms.
It's only a matter of time before we hear about the next major breach, but what we don't hear about is a major AWS breach or an Azure breach or a Salesforce breach — and when we look at security from a probablity standpoint, it seems your safest choice could be the cloud.
It might seem that giving up control means you would be less safe, and that was the prevailing thinking for a number of years. But now IT pros are beginning to understand that the safest route to securing your content may be that reputable cloud vendor.