There are many reasons that make cloud security more challenging than traditional on-premise security.
In essence, the following factors play a huge role:
- On public cloud, you’re renting infrastructure from another company.
- On public cloud, you have no say over what security measures the cloud provider has for their data centers.
- Cloud security requires deeper networking expertise beyond simply the server vs. client model.
- The fundamentals of cloud computing require making data and services accessible remotely via internet which carries alongside all the risks associated with the internet.
- Lack of training and expertise in cloud technology is the primary cause behind misconfigurations which lead to either data loss or breaches.
The above, of course, is not an extensive list. OWASP has listed the following top 10 risks:
- Cloud Misconfiguration
- Insecure Identity and Access Management (IAM)
- Insecure Cloud Storage
- Insecure Cloud Network Configurations
- Insecure Workload Configurations
- Sensitive Data Exposure
- Insufficient Logging and Monitoring
- Insecure CI/CD Pipeline
- Insecure Third-Party Integrations
- Insufficient Cloud Security Posture Management (CSPM)
In addition to all of the above, regulated industries require adhering to several standards such as the PCI-DSS and HIPAA. Therefore, it is not enough to secure your cloud; you also need to have adequate logging, monitoring, policies and controls in place. While on-premise also requires compliance with the same standards, on the cloud, it’s more complex since except the endpoints made available to the cloud consumers, you sometimes need to ask the cloud provider for extra logs as well as cooperation with legal holds during investigations by authorities.
Why do companies still bother with all of these complexities? It is very efficient since you only pay for what you use, and you don’t need to handle constant hardware procurement and all the overhead entailed.