Of Clouds and Security


In the early days of the Cloud, the assumption was the Cloud would be inherently less secure than your own datacenter. But is that really true?

There are several reasons why a good Cloud implementation may be more secure than your datacenter. Here’s why:

Attack Surface

A key element in security is Attack Surface–essentially how many entry points do you have to defend. This is not simply a question of size. Consider a building. A large office building might only have a few entrances, where a much smaller house might have dozens of doors and windows that open.

The best Clouds offer a homogeneous environment. Indeed, this is often key to their ability to operate cost-effectively. This means a consistent, limited set of hardware and software. This is a stark contrast to many companies’ data centers where you can often find multiple versions of multiple operating systems, often at multiple patch levels, running on a variety of different hardware platforms. The homogeneous environment of a quality Cloud presents a much smaller Attack Surface that is easier to defend.

Window of Opportunity

A new element the best Cloud solutions bring to the table is on-demand resources. There are many cases when a Virtual Machine will only exist for as long as it is needed. An application that normally only runs on three servers might dynamically scale up to a dozen servers during times of peak load, and then scale back down afterwards. Or a complex analytic job may require dozens of VM’s, but only for one evening once a quarter. Or a Disaster Recovery plan might rely on snapshots of the necessary VM’s on hand at a remote location, ready to be turned into VM’s at a moment’s notice, rather than warm physical servers.

In this new world of on-demand computing, we should also contemplate the Window of Opportunity for an attack. It is hard to attack a system that doesn’t exist at the moment.

Security Investment

The vendors of the best Cloud solutions are making significant investments in security. You need to take an honest look at how their Security Investment stacks up to your own. In many cases, you’ll find the Cloud provider investing more in Security than you. More money. More staff. More tools. Better tools. More standards. More training.

The advantage of the Cloud provider is that their security costs are spread across all their customers, as are their security benefits. For many companies running their own datacenter, that will be tough to compete with.


Because of their homogeneous environments, the best Cloud solutions can and do make extensive use of Automation. This is key to their ease-of-use and why, after a few mouse-clicks, your VM can be up and running with no human intervention. This is also a key to their ability to operate cost-effectively. Humans are expensive. Humans also make more mistakes. The sad truth is, for most companies, the most frequent impacts to the health of an application come from the inside, usually inadvertently. In other words, human error is still most likely your biggest risk.

To the extent that a Cloud solution is more automated than your datacenter, it can reduce your risk.


The best Cloud providers are diligent when it comes to process. They have to be to meet certain compliance standards. More importantly, good process, in the long run, is always more cost-effective, which provides these vendors financial incentive for their diligence. Good process is critical to mitigating the downside to an automated environment, which is that, where human error is still possible, it has the ability to have a much broader effect.

One critical Process is the management of credentials. Even companies that do this well for employees often fall short when it comes to outside vendors and subcontractors. An interesting inherent trait in the Cloud is that everyone, essentially, looks like an outsider and, therefore, ends up managed the same. Another inherent trait is an independent 3rd party manages the administrative credentials for your server, and ensures password policy is enforced.

You must judge the maturity of your own datacenter’s process compared to that of the Cloud provider. Better process results in less mistakes, which translates to less outages.


Simply hosting in a Cloud instead of in a local server room or datacenter in some cases will add an extra layer of security. The most common vectors for internal attacks, after all, are still the LAN and physical access to the server itself.

Platform as a Service

Some Cloud providers also offer the next evolution in the Cloud—Platform as a Service. This increases the homogeneity of the environment, further reducing the Attack Surface, and increases the Automation, further reducing the incidence of human error. This requires a new approach to development, so it is not an immediate benefit, but it does provide a future path to those benefits.

Business Continuity

Cloud solutions and new application architectures have been shifting the conversation away from traditional Disaster Recovery methods and towards Business Continuity. Most true Cloud providers make it easy to keep copies of your data in more than one location, and cost-effective to run servers in more than one location. More and more, applications are running Live/Live from the start, in no small part because the Cloud makes this easier and more cost-effective than ever. This is another benefit that has the potential to reduce risk to your organization.


Beware of sheep in Cloud clothing, though. There are companies out there that really aren’t offering much more than Co-location and calling it “Cloud”. There are a few simple yardsticks you can use to judge. The more detail you have to know about the environment, the less Cloud it is. The longer it takes to make a change to the environment, the less Cloud it is.


At the end of the day, security is about keeping your data safe and your applications available. For many companies, the Cloud will simply be able to do this job better by reducing the Attack Surface, shortening the Window of Opportunity, applying more security resources, and reducing internal risk.

Leave a Reply

Your email address will not be published. Required fields are marked *