General Security Advantages of Cloud-Based Solutions
As you have learned, because cloud-based solution providers spread their costs across multiple customers, the providers benefit from their economies of scale—meaning most have more money available to invest in different solutions, such as security issues. The following list specifies several advantages cloud-based providers may have with respect to security:
Immediate deployment of software patches: Many software patches address specific security concerns and requirements. Most cloud-based solution providers have a team of patch-installation specialists who immediately deploy system patches. In this way, the cloud-based systems may have a shorter period of vulnerability after a software patch is released.
Extended human-relations reach: Because of their financial strength, cloud-based solution providers may be able to better vet potential employees who will administer system software. Such vetting may include increased reference checking, security and background checking, and periodic screening (such as by polygraph).
Hardware and software redundancy: Most cloud-based solution providers have redundant hardware and software resources they can quickly deploy in an emergency, including colocation.
Timeliness of incident response: Within a data center, key personnel often perform multiple tasks. A company’s security specialist may also be the company’s patch administrator. As a result, there are often delays between the start of a security incident and its identification—which may have a catastrophic result. A cloud-based solution provider, in contrast, likely has experts monitoring systems for intrusion, monitoring system utilization, and more. In this way, should a security incident occur, the cloud-based solution provider is likely to be more responsive.
Specialists instead of personnel: Again, because of their financial advantage, cloud-based solution providers may be better positioned to recruit and hire trained system specialists. A small company that tries to handle its own IT, on the other hand, may have a one-person IT staff—and that employee may have a steep learning curve.
Hosting applications and their data within the cloud also has security disadvantages:
Country or jurisdiction: It is not always clear where cloud-based resources reside. If a cloud hosts its resources within a remote country, for example, one must be concerned with the laws as well as the government stability of the country. If the cloud resources reside in multiple states, questions of jurisdiction may arise in the event of a legal matter. Should a cloud-based provider, for example, receive a subpoena or a request for an e-discovery process, a customer’s data may become part of, and exposed to, an unwanted legal discovery.
Multitenant risks: Many cloud-based solution providers use multitenant solutions, which means that two or more customers may use the same resources, such as a database. As a result, an application error might expose one company’s data to another. Likewise, if a data-storage device is shared, data remnants from one company may be exposed to another.
Malicious insider: Despite a cloud-solution provider’s best human-relations efforts, malicious employees can still happen. Depending on the employee’s role, a company’s cloud-based data may be at risk.
Vendor lock-in: Depending on how a cloud-based solution provider stores a company’s data, it may become difficult for the company to later change providers in the event of a service-level-agreement breach or other problem.
Risk of the cloud-based provider failing: Companies who rely on cloud-based providers are at risk that the provider could fail. Some companies ask for a source-code escrow agreement, which places a copy of the provider’s source code with a third-party company. Should the provider fail, the company can gain access to the source code, with which they may be able to rehost the solution. By leveraging the “big 3” (Amazon, Google, and Microsoft), you can eliminate this risk.