Many senior cyber security managers argue that large scale mass market public/private offerings like Microsoft Azure, Amazon Web Services, Rackspace Cloud etc. are very secure and often are more secure than running in-house servers. Why? Because they have larger departments designing the architecture, implementing isolation and monitoring. A FTSE 100 firm may have a handful of monitoring staff where the names listed above have tens of operations staff.

This over-generalization does not apply to small to medium scale cloud offerings generally. Some I have seen are poor, read “We offer ultra secure online backup...... no you do not”. Many companies' use high security data centres and sell themselves as ultra-secure but only have high physical security. Who is really going to break into a data centre these days? People used to break into data centres (and still do) to steal hardware to sell on the black market.

Take two “normal world” scenarios. 1. You rent a high security bank vault which by default is very secure but you leave the keys out along with the PIN on a Post-it note next to them. Thus, the high security is greatly reduced by you. 2. You get your house fitted with a bombproof door and bullet proof windows and leave one open. Top security out the window. The same applies to the cloud, if by yourself you configure it poorly then it is made less secure.

Yes the data centre has good physical security, dual power feeds + dual generators + dual UPS’s, data replication, logical isolation which is likely better than what you implement in-house and more. Poor coding which leads to application layer vulnerabilities or poorly configured firewall rules are the same if you use a reputable cloud provider or run it on physical or virtualised servers in your own data centre.

The better logical isolation setup by default by the cloud provider will hopefully mean it will not spill to other clients or other virtualised server endpoints you rent but a breach is a breach. Many companies’ information require encryption which in many cases can be pointless since they often offer “at rest” protection and think about it, how many people are going to break into a data centre and steal a SAN drive? Plus, data from a single SAN drive would be hard to use.

Bitlocker and Microsoft SQL TDE (transparent data encryption) offers little or no protection from an attack “over the wire” and offers more protection from someone pinching the entire physical hard drive. The concern should be someone getting onto a server through SSH, RDP or more likely a SQL injection attack. Only a few specialist products offer protection for these scenarios and cost a fair amount to implement.

Best practice such as: code scanning, pen testing, inbound + outbound + internal firewalling, web application firewall, antivirus, endpoint hardening, authentication, using the latest software, monitoring, strong ciphers, patching, whitelisting, privileged account control and more are still a necessity. So, the next time you use the cloud to be more secure and reduce cost do not be complacent, get a specialist to review and secure it followed by an application and infrastructure pen test.