“We can secure our sensitive data better if it remains on-premise.” — Anonymous Enterprise Architect.
I have heard this comment a few times and I begin to wonder what this means. After all, on-premise is virtually the same place as the people who know about the sensitive data. And isn’t data security relative? I’d bet data stored on this…
… is more secure than any storage system with a network interface.
Seriously though, arguments exist for both on-premise and cloud supporters for data security. What is interesting about this statement is that the focus is, “I can protect our data better than anyone else.” When perhaps the discussion should be “How can I protect our data better than anyone else?”
The physical location of data is a risk, especially if technical resources know where to find the storage. If it is in the cloud, it is more likely that the provider has no clue what data the customer is storing, or perhaps even, where it is in the data center. This is to protect both their customers and reduce the provider’s liability.
While relinquishing the data to a third-party might seem less secure, it is most likely going to an organization that is probably equipped with security controls that are better than what is in place now.
Equifax’s breach in 2017 is a prime example where even a diligent IT department suffered data exfiltration over a 76 day period in which their Disputes portal contained an exploit that had been announced 2 months earlier. An open-source framework for the website, Apache Struts, required a patch to close the gap. During that time, hackers acquired 200,000 credit card accounts. Cloud providers would have been more diligent about applying security patches and could have detected the intrusions more quickly. There have been no arrests to this day.
According to The SecurityMetrics 2019 PCI DSS Data Breach Analysis, in 2018 Credit Card data breaches in organizations were primarily due to:
- External Threat: 50% breached through remote execution or injection.
- Internal Threat: 33% breached internally and employee assisted.
- Mixed Threat: 17% breached through Phishing emails.
50% of breaches, an employee participated in the breach. Either intentionally or by accident. The other 50% of the time, a hacker found or knew about a security exploit.
The recent data breach at Capital One happened because allegedly one hacker acquired 106 million credit card applications that contained sensitive information. The accused, a skilled engineer, succeeded because she was an ex-employee of the hosting provider for Capital One’s website. Using an offshore VPN, Tor and service credentials she obtained while working for the hosting provider. Had she not bragged about the hack on social media, she might have gotten away with the deed.
According to Capital One the MySQL database backups she was able to secure:
- About 140,000 Social Security numbers of our credit card customers.
- About 80,000 linked bank account numbers of our secured credit card customers.
Each of these shows that cloud service providers are improving security, but moving to the cloud alone is not enough. Security risks are ever-present, so migration alone will not secure everything. However, in my assessment, all signs should point customers to the cloud because security is always evolving. Cloud providers will continue to patch vulnerabilities as they encounter them. So you get security as part of the deal. There are different offerings for cloud including public, private and government. Public clouds like AWS, Google and Azure are quite popular. Private clouds can be either on-premise or managed by a vendor. Some examples are VMWare, RedHat, and IBM. Government clouds like SalesForce Government, Oracle, and SAP.
If you liked this article, please share and if you’re interested in migrating to a cloud provider, please check out my Cloud Migration Checklist for SAP Customers.
If you are interested in viewing similar articles, visit our blog, here.
View our LinkedIn, here.