by Matthew Granade on January 6th, 2015
Here’s a question we hear a lot: We’re not that comfortable with the cloud from a security perspective -- can you install Domino on premise? The answer is yes (we have both an on-premises and cloud-hosted version of the Domino data science platform because that’s what clients want) but we think the central assumption of that question deserves further consideration, because it’s often wrong.
The question isn’t “is my data safe in the cloud?” The question is: “Where is my data safer — in the cloud or on infrastructure I manage?”
When considering the cloud, some companies ask a series of thoughtful questions, apply a healthy dose of caution, and carefully think through specific risks. But a surprising number of companies stubbornly reject the cloud outright for reasons that sound mostly like paranoia, dogma or general FUD.
Which is more secure...
Both in founding Domino and in my previous job as an executive at a large hedge fund, I worked extensively on security issues — making sure that both companies had a strong strategy for staying on top of increasingly complicated threats.
From that perspective, the security advantages of the cloud are clear to me. Unless you are a large, very sophisticated company (and maybe even then), your data is probably safer in the cloud than on your own infrastructure. The question isn’t “is my data safe in the cloud?” The question is: “Where is my data safer: in the cloud or on infrastructure I manage?”
Let me offer two reasons why the cloud is probably safer for your company.
First, the systems reason: chances are that security is a more important priority for a cloud infrastructure provider than it is for your company, meaning you benefit from that greater security prioritization when you use them as a service provider. Take Sony as an example. Cyber-security might be in the company’s top ten priorities but it’s almost certainly not in the top three or five. Well above that would be picking great movies, making movies, hiring talent, distributing and marketing movies, negotiating deals, etc. Now think about Amazon Web Services. Security is probably its second or third priority because a security breach represents an existential threat to its business whereas in Sony’s case it does not as the recent hack (despite all the hand wringing) proves. So Amazon is going to invest tremendously in security -- it has to.
Second, let’s look at some of the major threats facing company data and how our two infrastructure options compare from a security perspective. (This sort of threat based analysis is really how all security decisions should be made.) In every case, the cloud is either better or neutral from a security perspective.
What you should worry about
Insider threats are one of the biggest risks to any company. In 2013, insider attacks made up 18% of all data breach incidents, according to the 2014 Verizon Data Breach Investigation Report. Employees routinely take intellectual property — for financial gain, because of a grudge, for fun or sometimes even by accident.
Beyond that, “physical theft or loss” constituted 14% of 2013 incidents — most of which occurred at the hands of employees, of course. And “miscellaneous incidents” constituted 25% of incidents, with the Verizon report noting that the source of these errors is “almost entirely insiders, of course. End-users, sysadmins, and developers lead the pack when it comes to mucking things up.”
In other words, between explicit insider attacks, theft or loss, and insider errors, over 50% of data breach incidents were the result of insiders. How difficult would it be for a disgruntled employee to exfiltrate some of your secure data? Are your employees properly trained to avoid phishing emails? Are you sure? How many of them would fail a phishing test? And how do you know your employees are well intentioned?
What does this have to do with the cloud? At worst, using the cloud makes the insider threat (probably your biggest risk) no worse. But as a practical matter, we often find that using the cloud reduces this threat because companies that use the cloud for their infrastructure segment their networks more, meaning it’s more difficult for an employee to move from an area where they should be to an area where they shouldn’t be. Also, cloud networks tend to be more monitored.
Your software update process
Are you running out-of-date software with any known vulnerabilities? How do you know? When security patches are released, how quickly do you deploy them?
Most cloud providers, including Amazon, address critical vulnerabilities in their underlying infrastructure extremely aggressively. For example, earlier in 2014, Amazon dealt with the critical Heartbleed vulnerability in a matter of days after it was announced.
Heartbleed is a good benchmark for companies that consider their security better than a cloud provider. Ask your IT team how long it took for your company to get fully patched against Heartbleed and compare that to how long it took Amazon Web Services.
Where are your servers? In your office building? In a data center? Who has access to the machines? How difficult would it be for someone to simply pick one up and carry it off? How tight is the security to get into your building?
Setting aside threats and attacks, how vulnerable are you to disasters that might cause outages or data loss? These threaten your availability, another dimension of security. Is your physical infrastructure safe from fire, heating and cooling issues, electrical failures?
You can read a ton about AWS’s physical security but suffice it to say it’s world class, in terms of access controls as well as safety measures. Most organizations would find it impossible to match.
Is all your internal traffic encrypted? If someone — an employee or anyone walking into your office — plugged a packet sniffer into an ethernet jack, what would they be able to pull off the wire? Passwords? User data? Financial data? Many companies require external traffic be encrypted, but are fairly lax about encrypting traffic within their network (which means their network security is only as good as their physical security).
Are your hard drives encrypted, on your servers and your employees’ machines? If not, it’s a whole lot more damaging if someone walks off with one of those devices.
Cloud infrastructure-as-a-service providers often have features that make it easy to enable encryption for data at rest and in transit or provide such configurations by default. And many services built on top of cloud providers (including Domino’s cloud-hosted offering) use encryption automatically.
This is a good example of the security benefits you get from working with a partner who has security as a higher priority than you do. Lots of companies don’t encrypt their data internally. But a Cloud provider wouldn’t even think about not offering that feature. All you have to do is turn it on.
Of course some of the risks above are present even if you’re using the cloud (your employees might still have sensitive data on their computers that is vulnerable). And at the same time, a big, sophisticated company could absolutely implement a complete security regime that would rival that of AWS.
The point is that the cloud is probably safer because cloud providers have to invest so heavily in security to make their businesses more.
I’ve described a small sampling of areas ripe for attack. It’s important to remember that smart attackers will use combinations of these vulnerabilities. Just for fun, here are some hypothetical scenarios to keep you up at night, most of which are much less likely if you’re using cloud infrastructure:
- Someone breaks into your office or data center and steals your machines.
- A naive employee falls for a phishing email that installs malware on his machine, which in turn exploits an unpatched vulnerability on one of your servers.
- An attacker poses as a job applicant and gets an interview with your company. While the interviewer is out of the room, the attacker plugs a device into your network that pulls passwords and other secure data off the wire.
- A disgruntled employee comes into the office one night and steals physical machines with secure data.
- An attacker poses as an electrician or a repairman from your phone company, telling a story that convinces the receptionist to show him to the electrical closet or server room. There, he plugs a USB key into your server that does any number of damaging things.
Conclusion & Recommendations
Good security is threat based: you should make sure that the threats are prioritized and you have good strategies for each. And in making a decision about cloud versus on-premise infrastructure -- or any other decision -- you should go threat by threat and compare the risks with each option. Regardless of your decision, here are some suggestions for keeping your assets secure:
- Think through threats systematically and analytically. What assets would be most valuable to an attacker, and what are all the different ways an attacker could access them? What are the weakest links in the different layers of your systems (including personnel and physical infrastructure)?
- Have a professional firm do a security audit and a penetration test to identify weaknesses in your security. You need to identify the problems in order to fix them.
- Make security a part of your employee training. All employees should learn about common social engineering techniques and phishing techniques, so they can spot them. Vigilance should be part of your culture.
- Pay attention to your people. Do background checks when hiring them. Watch for signs of employees being disgruntled. If you have the resources on your security team, monitor employee email and behavior to look for suspicious activity.
- Lock down your physical security. Lock computers, lock doors, use guards, cameras, etc.
- Encrypt your data at rest and in transit across your infrastructure.
- Design and implement a patch program to keep your software up to date when vulnerabilities are fixed.