Cybersecurity of Cloud Hosted Infrastructure vs On-Premise
Something interesting that our team experiences on a near-daily basis is the belief that cloud systems are somehow less secure than an on-premises solution. Organizations seem to believe that hosting data in the cloud relinquishes control and exposes that data to compromise.
The reality is many of these same organizations spend very little focus or budget on cybersecurity themselves. Generally, if your organization is not willing to put the time, effort, and capital necessary to truly secure an on-premise solution then it would be more secure to focus on a cloud provider.
Is every cloud provider secure? No – just like any modern operation, cybersecurity is a cost that the cloud providers must balance. However, a large majority of legitimate cloud providers have been vetted against very strict cybersecurity measures and have relevant certifications that prove a third-party audit of security has been performed.
In this post, we wanted to focus on some of the most common threats facing organizations and how cloud hosting can affect these threats.
Audits for a system directly hosted by an organization will greatly depend on the type of data being hosted and the associated industry. For example, HIPAA requirements will be involved for any organization that hosts ePHI within it’s system boundaries. If processing and storing credit card transactions, PCI DSS will likely be a compliance requirement. Even SOX compliance involves cybersecurity auditing and control standards.
These audits can be time-consuming, costly, and carry with them a major administrative burden. When hosting on-prem, always consider the data compliance standards and whether your organization can afford to maintain these standards.
Cloud providers will generally be selected by an organization based on data compliance standards. As a general rule of thumb, the higher the level of compliance required the higher the associated infrastructure costs will be. Some of the most expensive compliance standards usually revolve around government hosting and DoD data security.
If considering cloud migration, one of the first steps your organization should take is to map out all compliance requirements in order to filter our providers.
Backups and Business Continuity
When dealing with a disaster, whether it be ransomware or natural, your organization will likely require an emergency restoration of systems in order to recover operations. When dealing with exclusively on-prem infrastructure, several factors must be accounted for in order to ensure this business continuity is stable and reliable. Geolocation diversity is a must. Ensure that the same disastser cannot affect all backup systems.
Additionally, a backup system that enables rapid recovery and analysis of backup images is critical. Ransomware attackers prefer to dwell within systems for weeks or months before launching an attack. Ensure your backup solution can detect and remediate these hidden threats.
The most convenient part of cloud hosted disaster recovery infrastructure is the ability to easily provide geo-diverse backups in hardware that is hosted by another company. The savings of a centralized datacenter are usually too great to be ignored, and most organizations opt for a cloud-hosted disaster recovery and business continuity solution.
Additionally, purpose-built systems provide additional security controls and restoration speed that is difficult to match with on-premise systems.
Constantly evolving threats have led to a cybersecurity arms-race between defenders and attackers. Unfortunately, many on-prem systems have not been paying attention to this escalation. Attacks against on-prem infrastructure is more common than ever. Very often, we find that organizations believe that a firewall and anti-virus is enough to defend their system from a critical attack.
A quick glance at modern cyber-liability insurance requirements should be a clear indication that the minimum acceptable standards of cybersecurity controls have changed. At an absolute minimum, network-wide multi-factor authentication, endpoint detection and response, SIEM/SOC, and application whitelisting must be considered for on-premise systems.
These tools all require dedicated cybersecurity staff to properly function. If this is not a cost an organization is willing to digest, cloud hosting might be the best path forward.
Generally, it will be difficult to determine the exact cybersecurity solutions used by a cloud provider. However, your organization can get an idea by looking at the requirements of the third-party audits and cybersecurity frameworks that their solution is currently complying with.
Chances are, the highly-compliance cloud infrastructure providers are going to be highly focused on providing top-level security. A successful attack or breach against a cloud-infrastructure provider is an existential threat. Most legitimate cloud providers will have the appropriate insurance, controls, and staff to properly secure their environment.
Moving to the cloud is not a light decision. Budget, bandwidth, downtime, and resources are just some of the factors that must be taken into account for this decision. The stability, scalability, and security provided by a cloud migration are primary reasons that most organizations are trending towards cloud migration.
If your organization is finding it difficult to decide whether cloud migration is really going to be more secure, take a look at some of the requirements that cloud providers have to work around. If your organization doesn’t meet these standards, it is very likely that your team is not able to properly provide the security necessary to host an on-premises infrastructure.