Story image

Mythbuster: Which is more secure? Cloud or on-premise?

09 Jun 15

What’s your IT security like?

What are you doing about antivirus protection? What is your email, web and input security solution?  What type of firewall do you have, and how robust are your firewall rules and perimeter security?

Have we lost you already?

If you’re like a lot of Kiwi SMBs, you may well think your data is best kept safely tucked up on premise, near you. For most, however, that’s a dangerous assumption.

Chris Maclean, from Maclean Technology, says on-premise security in SMEs tends to be unmanaged, with an appliance purchased from a vendor, configured and customised to suit, then left to do its job without regular updates and log checks.

“Without keeping the appliance updated, the customer isn’t getting the protection level they think they are,” Maclean says.

The best appliances are also often out of reach of the more modest budgets an SME will often apportion to network security, leaving SMEs without the benefit of the high-end intelligent features large enterprises use to analyse patterns and, crucially, prevent new attacks.

“The lower budget devices rely on matching known patterns,” Maclean says. “So they typically are not able to stop the newest attack methods. This means it’s doubly important to keep the patch levels up to date and continue to monitor the logs.”

Maclean says monitoring logs comes with its own expertise requirements, something an SME is typically not prepared – or able – to invest in.

“Most SME clients we talk to have some security measures in place, but still have gaps in their security.”

While there remains a persistent line of thought that the cloud is inherently less secure than on-premise, cloud providers need extremely robust and multi-layered security.

There aren’t many SMEs who invest in perimeter security for their site, have security guards on hand 24x7, enforce two-factor authentication, have multiple keypad controlled doorways into and out of their server room, and spend the money required to have the best possible security appliances money can buy.

“From a technology and social engineering of staff perspective, a cloud’s data centre is inherently much more secure than most SMEs,” Maclean says.

Even the ‘security by obscurity’ argument, which suggests cloud providers could potentially be more obvious targets for attackers, is flawed.

“Just like opportunistic thieves, most hackers prefer to go for the quick win,” Maclean notes. “It really isn’t that much harder for them to locate a smaller business with much weaker security, and breach that.”

In fact, the majority of breaches occur in the SME space and go largely unreported - unlike the rarer high profile attacks on well-known enterprises, which garner headlines.

Late last year Vodafone identified that 56% of New Zealand businesses experience IT security attacks at least once a year. Yet 20% of businesses with one to nine full-time employees admitted they weren’t investing in IT security at all.

Meanwhile MYOB’s Digital Nation report, released in April, shows losing access to data is a key concern for Kiwi SMBs, along with hackers gaining access to business data and losing control of data.

The cryptolocker ransomware which hit headlines last year was most successful against smaller businesses that hadn’t invested in the best possible edge security they could get.

“They’ve often been found lacking in their backup and DR as well, so have had to pay the ransom to get their businesses up and running again.”

Cloud providers meanwhile, have to prove their security, even before they launch a service.

“A cloud provider has the funding behind it to invest heavily in its security technology and apply it all the way from the edge, down to individual tenants.”

 “It’s important that the platform we offer can maintain absolute, secure separation of customer data while being able to efficiently deliver compute from a shared platform,” Maclean says. “We couldn’t do this without purchasing the very best equipment available and having it configured by the very best engineers in the industry.”

On top of this, cloud providers typically have to architect their platform for keystone customers, which often means making sure the platform complies with independent security standards, such as PCI DSS for customers who hold credit card data; privacy law compliance and often, the standards of other countries when providing services internationally.

Cloud providers can give smaller businesses the enterprise grade security that is normally out of reach, due to costs, Maclean notes, and take away the complexity of managing security, enabling SMEs to get on with their own business.

“That’s where the efficiencies of shared – or hybrid – cloud platforms are realised.

“A small customer only has to pay for a small share of the security platform the cloud provider has invested in, but reaps the full functional benefits of it – pay a fraction, get it all.”

HPE promotes 'circular economy' for end-of-use tech
HPE is planning to show businesses worldwide that throwing old tech and assets into landfill is not the best option when it comes to end-of-use disposal.
This could be the future of ridesharing
When you hear the words ‘driverless vehicle technology’, the company Bosch may not immediately spring to mind.
2019 threat landscape predictions - Proofpoint
Proofpoint researchers have looked ahead at the trends and events likely to shape the threat landscape in the year to come.
InternetNZ welcomes Govt's 99.8% broadband coverage plan
The additional coverage will roll out over the next four years as part of the Rural Broadband Initiative phase two/Mobile Black Spots Fund (RBI2/MBSF) programme expansion.
Commerce Commission report shows fibre is hot on the heels of copper
The report shows that as of 30 September 2018 there were 668,850 households and businesses connected to fibre, an increase of 45% from 2017.
Dr Ryan Ko steps down as head of Cybersecurity Researchers of Waikato
Dr Ko is off to Australia to become the University of Queensland’s UQ Cyber Security chair and director.
Businesses in APAC are ahead of the global digital transformation game
“And it’s more about people and culture - about change management - along with investing in the technology.”
HubSpot announces fund for 'customer first' startups
HubSpot is pouring US$30 million (NZ$40 million) into a new fund to support startups that demonstrate ‘customer first’ approach of not only growing bigger, but growing better.