At the risk of being ‘voted off CISO island’ or worse, ‘lose my CISO card,’ I’m prepared to make an argument contrary to the popular opinions expressed by many of my fellow CISOs. I believe cloud-based migrations can actually bring several security advantages for certain organizations and especially SMBs.

I find it surprising that so many fellow security practitioners are still discussing the ills of the nefarious “cloud.” I also wonder why many of the pundits, in their haste to further incite fear, uncertainty and doubt (FUD), often never take time to delineate the differences between the various “clouds” before piling on.

But then again, if they did attempt the delineation of the various types of cloud offerings – private cloud versus public cloud, platform as a service (PaaS), infrastructure as a service (IaaS) and software as a service (SaaS) – the fallacy of their logic would be revealed. So, instead they opt for broad generalizations that have limited substance and accuracy.

A few of the more overused FUD tactics, of course, are those of data residency, commingling of data and access controls. You may recognize the following rhetoric: “when you move to the cloud, your data could be anywhere,” “your data will be commingled with everyone else’s,” and lastly “anyone and everyone has access to your data in the cloud.”

Many of these fear factors are only applicable to public SaaS, but this fact is usually disregarded or overlooked. Furthermore, with both geo-load balancers aside and pre-negotiated contractual terms and conditions, it would make little sense for a SaaS provider to not house client data in proximity to where it’s being used to minimize latency and improve performance.

So in defense of cloud providers everywhere, here are my arguments for why organizations should consider cloud migrations and their security advantages:

1. “Trust” is the basic building block of the go-to-market business strategy of all cloud providers and with fragility of that trust by clients, cloud providers have zero tolerance for poor practices that could compromise their systems and hurt their “brand.”

2. Most cloud providers of infrastructure, platform or software exist within regulated industries themselves or they serve clients in these industries, and hence the tools, tactics, techniques and procedures of most cloud providers are held to very exacting compliance standards by various examiners, standards bodies and compliance organizations.

3. With few exceptions, the size, annual budget spend and talent skillset of most cloud providers typically exceed those of in-house cyber resources.

4. If my fellow CISOs would for a moment remove the blinders, they should pause when they consider that small businesses are what fuel the US economy. Most small and medium-sized businesses can ill-afford the kind of capital and operational expense investments that it takes to truly protect their businesses from cyber criminals. As an industry, we should be encouraging SMBs to move to the cloud versus feeding them baseless FUD.

Want to Read an Executives View on Why to Avoid the Cloud, Read:

A CISO Checklist: 11 Reasons to Avoid the Cloud by Farhaad Nero Bank of Tokyo-Mitsubishi UFJ, Ltd., VP Enterprise Security

Leave a Reply