There is a notion within IT organizations that having control on-premises means better, tighter security. This has been the perception since prior to the cloud era. As soon as we started moving infrastructure and applications off-premises, the first objection was that off-premises control is not as secure. In earlier times this may have been the case but, security and cloud infrastructure have come a long way over the past decade.
Depth and Breadth to Cloud Security
It is time to revisit and put to bed the notion that on-premises means better security. At a minimum, you owe it to your organization to thoroughly evaluate the security of cloud and Software-as-a-Service (SaaS) providers. Overwhelmed IT organizations may benefit enormously from the leverage cloud services can provide.
There is depth to the security programs that cloud services providers are taking, and programs by AWS and Google Compute Engine demonstrate the breadth of available security approaches. Cloud services have a greater security challenge as they are publicly accessible, but, they also have a number of approaches to help mitigate the issue. For instance, there are managed service providers that focus on network security; more available data encryption tools; cloud VPN solutions to control access are on the market and in addition, there is more awareness and knowledge around how to secure cloud services. There are more security infrastructure services than ever that help support specific security tasks.
Advantages of Secure Cloud Services
Another critical advantage that cloud services have over individual organizations is that their investments in security generate a return for them from across many customers. A service provider is more apt to invest in security because they know that those investments will benefit them, existing customers, and new customers they are hoping to sign. For example, many organizations have opted to use Google Apps as their corporate version of GMail instead of their previously hosted and secured email. By outsourcing email to Google, these organizations took advantage of Google’s security prowess and the substantial investments they could make. An example of this investment is the purchase of Postini, an anti-spam solution that Google purchased and subsequently rolled into their service. Google was so motivated to secure their infrastructure that they invested $625 million to purchase Postini, but that investment is now spread across 6 million customers. This investment was worth it for Google and significantly more cost effective for their customers than it would have been to purchase their own email infrastructure and secure it with an anti-spam technology.
Directory-as-a-Service is no Different
This approach is no different in the Directory-as-a-Service (DaaS) space. Organizations may spend a great deal of money purchasing and managing their own directory service. That same directory service then needs to be secured through a variety of systems. While the argument can be made that because there are other systems that need to be secure on-premises, the investment is amortized over more services. But as more infrastructure moves to the cloud, is that truly the case? Directory-as-a-Service providers invest heavily in security, and those investments extend to all of their customers.
It is true that not all cloud service providers are created equally. No organization is. Yet, take a hard look at the cloud service provider’s security infrastructure and ask yourself if it is stronger than what you have or could realistically develop? Or are you better off investing in security on-premises? Either way, it’s a reasonable point to reconsider the conventional wisdom that on-premises security is better than in the cloud.