Just about every survey lists security as the number one reason that IT organizations are hesitant to embrace cloud computing. But what most of those surveys fail to recognize is that most internal IT organizations are not all that good at IT security. Arguably, cloud services are more secure because the companies that provide those services can afford to invest in state-of-the-art security technologies and the people with the skills needed to manage them.
In fact, a new report released this week by Alert Logic, a provider of managed and cloud security services, goes a long way towards highlighting just how spurious the cloud security debate has become. The analysis of 1.5 billion security events found that when it came to security attacks, both on-premise systems and systems managed by cloud service providers were subject to roughly the same number and types of attacks. The only major difference is that internal IT organizations managing on-premise systems had to contend a lot more with malware simply because the number of systems they were supporting created a much broader attack surface.
None of this means that security is not an issue; it just means that it’s not an issue specific to cloud computing. Urvish Vashi, vice president of marketing for Alert Logic, says that in his company’s experience, the vast majority of security incidents are a result of systems being misconfigured in a way that makes them vulnerable to an attack. Chances are that such misconfigurations are more likely to be made by internal IT organizations that may not have the same level of management expertise as a cloud service provider.
In theory, at least, cloud service providers are tempting targets because they concentrate so many application workloads inside a few data centers. But we’ve yet to see anything more than a handful of significant security breaches in the cloud compared to the number of breaches being reported by internal IT organizations.
Ultimately, resistance to cloud computing has more to do with fear of losing control than it does with actual security. It’s just easier to cite security rather than fear as the reason for not being more aggressive about making the move to cloud computing.