Bad security decisions could lead to enormous costs and significant business disruptions for any company, regardless of size. The constant drumbeat of news stories about breaches, malware attacks, and other cyber scenarios only serves to raise the level of anxiety. Because of this, companies looking to start or extend their use of cloud-based solutions quickly come to the question of security. Do cloud-based solutions expose companies to higher security risks? Or are cloud-based systems more secure than on-premises alternatives?
There is, in fact, no single answer to the question of whether cloud technology is more secure than on-prem technology. The better question for companies to ask is whether cloud-based providers have configured their solution correctly.
Ultimately, cloud solutions that have been configured correctly are more secure than on-prem solutions. This can be explained as “the power of one.”
Configurations for Optimal Security
Setting up a software-defined perimeter offers a single protected entry point for end-users at the application layer while keeping infrastructure layers invisible and out of harm’s way. But not all cloud providers work this way -- even some of the best-known enterprise cloud-based tools manage security at the database layer instead.
Because of the differences in approach and maturity among cloud providers, companies should be prepared to ask cloud providers tough due diligence questions about how they protect their underlying data and infrastructure. Do not fall into the trap of approaching security as a matter of faith in providers.
Especially in a world where user-managed devices and remote access are common, companies should not adopt cloud solutions without knowing exactly how users can get in, what they see, and how their access is managed. Cloud providers should manage these dimensions with the same discipline for their own internal users as for client end-users.
The Power of One
The power of one reduces the points of attack (i.e., the threat surface) that a bad actor could potentially exploit. Defending one gate is easier than 1,000 doors and windows. When new vulnerabilities emerge, it is also easier to remediate that one gate than to check and patch 1,000 smaller entry points.
Well-designed cloud-native applications simplify the process of reinforcing or patching, too. New threats emerge all the time, and hackers are extremely clever. When new vulnerabilities appear, having one secured codebase fanned out to many allows the many to benefit from the one. One investment in a security fix cascades to every user. Compare that to having multiple instances of an application and multiple versions to manage. Permutations of the number of vulnerabilities times the number of instances times the number of versions of the code base spiral out of control quickly. Such complexity leaves application owners more brittle and more exposed to threats for longer periods of time.
While it is easier to protect just one gate, that gate still needs to be properly protected, and this is where a buyer’s level of maturity and security capabilities comes into account. For example, if user “jsmith” has used the password “1111” for their laptops and every account since 2010, no amount of cloud provider security can protect their credentials from compromise. It’s not just about the providers companies choose -- it’s also about their mindset and how well they manage their own user and network policies.
Cloud Security Doesn’t Just Happen
Cloud security is a two-way street between the user and provider. For novice cloud buyers, the good news is that there are tools to help companies get up the learning curve more quickly.
For example, the National Institute of Standards and Technology (NIST) offers a robust cybersecurity framework that organizations can adopt. There are other models as well, developed by various national governments, industry groups, or international organizations such as ISO (specifically ISO/IEC 27001). There are also vendor management and due diligence platforms that potential buyers of cloud technology can readily adopt.
Simply put, a user’s commitment to security and investment in secure architecture creates a real advantage, be they novice or long-term cloud adopters. And in turn, that advantage maximizes the power of one effect of the cloud.
Thomas Kim was named CEO in early 2020 to build upon Enfusion’s success as an industry-leading technology provider in the investment management industry. With more than 25 years’ experience in the capital markets, Thomas recently served at Bridgewater Associates for over 7 years, most notably as COO of the Investment Engine Group. Prior to joining Bridgewater Associates, Thomas held a wide range of executive roles at global sell side institutions, Lehman Brothers and UNX as well as leading fintech firms Tassat, TradingScreen, Macgregor and Merrin Financial/ADP. Thomas holds a degree from the American University.