Public Cloud Security: Don't Believe the Hype
As happens so often, the rhetoric does not match the reality.
A common rationale for using public cloud computing is that security done by professionals will invariably be better than that which is adhered to on-premises. So oft repeated is this mantra that questioning it is akin to blasphemy. Despite this, it is not objectively true that cloud security is better than on-premises security.
True believers will react with anything from derision to active attempts at career sabotage for even attempting to discuss this topic. For many, the primacy of the public cloud is unchallengeable, and the argument of superior IT security is one of the pillars of argumentation.
Once you cut through the rhetoric, the security argument really boils down to two factors. The first is that public cloud providers know how to use and configure load balancers and their firewalls. In other words, public cloud providers have decent to good network edge security, whereas a lot of on-premises systems administrators, quite frankly, don't even know how half the basic elements of the public cloud-provided solutions work.
The second argument is that public cloud providers have a "secure by default" approach. When you light up a service, expose a VM through the load balancer or basically do anything using the cloud providers' interface, the default configuration is generally considered secure.
Part of this "secure by default" approach is that updates are set up to run automatically. Public cloud providers strongly advise that applications be deployed by recipe and their data isolated. That is to say: applications should be installed via a script, and data held separately from the application in case the application container or entire VM needs to be scrapped due to a bad patch, compromise, etc.
The further down the rabbit hole you go, the more the public cloud security argument tips away from running your existing workloads in a secure fashion, and moves towards the adoption of new coding and design paradigms that would require either writing an entirely new application in a completely new way, or getting someone else to do it for you. Public cloud computing's security argument thus rests in part on the idea of simply throwing out all your existing IT and embracing newer, more modern IT.
Flaws in the Arguments
There are some pretty severe flaws in both arguments for public cloud security. The first argument -- that public clouds are better at edge security -- is almost laughably irrelevant in today's world.
Software-Defined WAN (SDWAN), layer 2 extensibility and microsegmentation -- all parts of Software Defined-Networking (SDN) -- are changing how we view the network edge. IPv6 is taking off, and IPv6 gives publicly addressable IP addresses to everything behind the network's edge, limiting the utility of defending anything at the edge in the first place. The push to encrypt all communications further limits what edge defenses can do to protect IPv6-enabled systems or workloads.
I'm not arguing that edge security isn't important -- it is -- but rather that it is only a small part of security. Arguing about the importance of edge security is a bit like holding up the seatbelt as the single most important safety feature in a modern car, ignoring decades of improvements that, cumulatively, are far more beneficial.
The "secure by default" approach has flaws, too. Not the least of which is a push by enterprise application, operating system and networking vendors to deploy their wares in a secure configuration by default. Not every vendor plays along, but enough have that the security landscape is a lot different today than it was 10 years ago.
Ultimately, it is entirely possible to set up public cloud workloads such that they aren't secure. It is equally possible to set up on-premises workloads such that they are. Experience and expertise is still relevant, even when dealing with the public cloud.
The last concept to consider is that of magnitude. A public cloud provider can hire very expensive top security experts to design secure defaults, and those costs are still insignificant because of the scale of the public cloud. They add pennies per month to every VM.
The flip side of this is that public clouds are a great big, fat target: thousands or millions of identical workloads all secured identically from the same base template. Since cracking one cracks them all, it can be argued that there is value in differentiation; after all, our immune systems evolved along these lines in response to disease for a reason.
There is no winning the argument either way. There are good cases to be made for both sides, and that's the important part to remember. A nearly religious doctrine -- that public cloud security is invariably better than on-premises security -- can be, and should be, regularly questioned and tested. Make sure it applies to your workloads before you take the plunge.
Trevor Pott is a full-time nerd from Edmonton, Alberta, Canada. He splits his time between systems administration, technology writing, and consulting. As a consultant he helps Silicon Valley startups better understand systems administrators and how to sell to them.