Monday, August 27, 2012

Is Cloud More Secure Than On-Premises Software?

Security is the most common objection people - or companies - raise against the adoption of a cloud based solution. There have certainly been enough stories reported about compromised passwords and other security breaches at cloud based services such as Dropbox or iCloud. Emotionally, it feels like having our data stored somewhere where we can’t see it is just not very secure.

But let’s face it, we’ve had our money stored somewhere where we can’t see it for decades. Yet we seem to be completely trusting of our banks. Nobody is arguing that our money would be more secure under our mattresses. Quite the contrary, we rush to put our money into the banks knowing full well that the bank doesn’t actually keep the money. At the end of the day, it is just an entry in a computer database a cloud. Or private cloud to be more precise. In any case, we consider banks highly secure today.

And so, the latest argument about cloud security goes in the opposite direction. We are beginning to realize that the cloud companies have more at stake, and so they are likely investing into security more so than a typical company ever would or could afford for its on-premises software.

Let’s take an example. Thousands of companies across North America have been using ADP to process their payroll for many years. ADP’s payroll processing is a cloud based application - it has been long before we knew what the cloud was all about. ADP even offers to outsource the service, not just the app.  Yet as far as security goes, nobody is screaming that it is preposterous having all the highly confidential personal data stored at ADP. In fact, most people think that it is probably safer at ADP than it would be if processed by their own employer.

Indeed, cloud companies are increasingly considered capable of providing more security features than companies running on-premises software. Just yesterday, Dropbox raised the bar by rolling out a two-factor authentication. How many of your on-premises applications have that?

But then again, the cloud companies are a much bigger and more attractive target for the bad guys. The hackers might never pay attention to your company and your data center but they sure know about Google Apps, Dropbox, Amazon EC2, Microsoft Azure, and Apple iCloud. Hacking a big name cloud company is just a very lucrative target that many hackers see as a challenge they can’t resist.

So what gives? Is our data more secure on-premises or in the cloud? Well, I suppose there is no black-and-white answer out there today. There are many considerations that need to go into software selection - on-premises or in the cloud. Security is certainly one of them. And we can be sure that the security debate will remain a hot one for quite a while.


  1. I like your bank analogy, but there are two big differences between a bank and cloud software:

    1. I'm giving them something relatively generic (money), so long as I get back the same value I don't really care if they screw up on the back end. That's their problem. Not so with many other services, let's say email. If I give them my email to manage and they screw it up, it's gone.

    2. Many of the cloud services are startups. Good startups with good ideas and good intentions, but startups nonetheless. Two guys in a garage are very likely to be simply unaware of security concerns, or some bug in their software, or some crack in their hosting provider's physical security. They'll worry about that when they get big enough. In many cases these startups will fail, potentially taking my stuff with them permanently.

    This is of course not the case with all cloud services, many are mature and could be trusted. But if you look at the sheer number of services available, I would guess that the vast majority come with significant risk. Do you know which ones can be trusted and which cannot? Does your business lead? Does the new intern who just started and wants to put his stuff on the latest fad service? Probably not, which fuels generalized concern.

    1. Thanks for commenting, Pete. It's interesting that you feel the banks are so much more reliable than the cloud companies. There are many small, somewhat dubious banks out there. One of the comments I received on Google+ was from a European reader who said that in the light of the Euro jitters, the banks are actually not considered that secure by many. Yes, banks can go out of business and we've seen plenty of that during the Great Recession (2008-2009).

      I can also imagine a - hopefully very remote - scenario where all bank's records (aka computer disks) are wiped out. I know that some of the financial institutions in New York came pretty close to that back in 2001.

      The bottom line is that there is no such thing as perfect security (or safety). It is all just about risk management and mitigation.

  2. Thanks Lubor for a nice article.
    Thanks Pete for putting front some good counter logic.

    It can undoubtedly be said that Cloud has got a great future. The advantages offered by cloud in this competitive era is far more compared to the risks & downside posed by it.
    The most biggest concern being security. To tackle this, the need of the hour is to have more and more effective rules/regulations and regulatory bodies, which I am sure are surging up.
    The cloud companies in the market know that their reputation is at stake. So they will put their utmost efforts to patch up all the weak sides and will definitely associate themselves with the regulations, so as to give more confidence to their clients.