According to LogicMonitor’s “The Future of the Cloud – Cloud Influencers Survey,” by 2020, the share of workloads running in the public cloud could increase by 10 percent, from 31 to 41 percent. Despite this growth, some holdouts remain that prefer their self-managed on-site databases, citing concerns over the security of off-site managed database solutions, Amazon being the biggest player in the field. But public cloud providers are more confident in their security than ever before. So what’s to fear about moving your database to the cloud in 2018?
“Security” ate up 66% of responses to LogicMonitor’s survey question about the biggest challenges for organizations engaged with the public cloud.
“A lot of the optimism with [public cloud services] is that developers — with the agility of it — they can just fire up a bunch of instances of different types, take them down, replicate them, etcetera,” said Jeff Behl, chief product officer at LogicMonitor. “At the same time, that speed and agility makes it so trivial for them to just get it going and working — and that’s what they’re rewarded for — that they’re not paying attention, or their company doesn’t have enough of a mature, serious prep model around it, that they’re just leaving their databases open to the world.”
In comments regarding the Cloud Security Alliance’s “The State of ERP (Enterprise Resource Planning) of Security in the Cloud” report, John Yeoh, research director, Americas for the CSA echoed that lack of preparedness is the major issue for organizations looking to move operations to the public cloud.
By Behl’s estimate, this type of human error, the result of unpreparedness, lack of experience and carelessness, is by far the current biggest threat to security being reflected in the survey.
“You see that in the news fairly often, where somebody misconfigured something, say an Amazon S3 bucket, which created external access through it and people downloaded it,” said Behl. “Technically the cloud provider is just offering a service and you left the door open in your house. On the other hand, I think it is incumbent on [cloud providers] to get better at that.”
But Behl says he’s seen first-hand how cloud companies like Amazon in particular have made serious efforts to mitigate fumbles like these.
“I know Amazon is making it much more explicit when you’re giving really open privileges, to the best of their ability,” Behl said. “I’ve seen directly, going through their console, that they actually give warnings now saying that you’re leaving things open to the world. There are emails that are sent out — they’ll actually proactively probe for things and say, look, this is open to the world, are you sure you want it to be?”
Amazon also has systems in place, Behl said, that allow users to set up alarms or shut-down procedures if anything ever becomes open to the public internet.
Though this is hardly the only concern, Behl diminishes the others, which include the risk of exploit and competition with the cloud providers themselves, but says that some industries are more likely to have these less pressing concerns than others.
“I think the industries that are most sensitive are any that deal with financial data — period,” Behl said. “It’s not inconceivable that some folks are worried that they might be competitors with Amazon at some level and they’re putting their specific data in that cloud. I think what really concerns the security aspect of things is that there’s a lot of governance and compliance issues right below that. They might dictate certain things that haven’t been modernized, which might deem it a security risk that you’re running on someone else’s hardware.”
Aside from outdated governance, Behl says there’s little to stand in the way of decision-making about the public cloud considering the standard cloud providers hold themselves to in standing up to security threats on their end.
“There’s the fear I think that the cloud is a shared platform and that by virtue of you putting it in the cloud, somehow somebody else running in the cloud automatically has access to your infrastructure — whether that be through some sort of exploit or whatnot,” Behl said. “That is potentially valid, but it’s relatively small in my opinion. I think that the cloud providers are so focused on making sure that that is covered to the nth degree, knowing that the implications of that sort of shared attack and what that would have through the industry.”
But Behl reiterates that the primary concern is more valid than the others.
“In your own physical data center environment, you’re usually behind a firewall, meaning not everybody in the world can see your database sitting there running on an open port, so you might not necessarily care,” Behl said. “But in the cloud, it just takes a few clicks or not clicking and that database that you just spun up that you just put data into — could be customer, could be internal — is now potentially probeable to the world. Maybe it still has a password on it, but that password is simple. That is the biggest security threat out there given the opportunity of what the cloud can give you — just throwing things up there and making it accessible to anybody.”
Despite anyone’s concerns, between the aforementioned growth predicted in the LogicMonitor survey, cloud market-size projections cited in the CSA report calculated at between $25-30 billion over the next five years, and the appeals of cloud operations over on-site as listed in that report, simplicity and lower cost of ownership, there doesn’t appear to be any sign that the industry as a whole takes much issue with moving workloads and databases to the cloud.
Behl said that there could be concerns further up the stack, such as “security at the level of worrying about someone with a truck backing up and stealing servers,” but, said Behl, “I imagine that’s not what they’re concerned about in this survey.”