I have talked a lot about this, but I don’t think I’ve ever posted it here on the blog.
I am consistently amused by people who fear moving to the cloud (and by people who take random potshots at the cloud) because they are worried about a lack of security.
The reality is that cloud providers have a massive financial incentives to be more secure than you. To provide you a rock-solid foundation to build on – and as always, you are free to screw up whatever you want from there. Why? Because if they have a major security failure, it will lose them business, and could become an existential event (an asteroid-vs.-dinosaur type event).
Look at it this way:
- In your own organization, who bears the cost of a security breach? It is almost never the business unit responsible for the breach, but instead almost always paid for out of some central budget. So other priorities nearly always take precedence over security, forcing security teams to block and tackle as best they can. Even the organization itself (depending a bit on the nature of the business) almost never places IT security above priorities such as responding to competitors, meeting product cycle requirements, etc.
- At a public cloud provider, security is typically one of the top 3 obstacles for obtaining customers and growing the business. If they can’t prove security, they cannot win customers. If they can’t maintain security, they most certainly can’t keep customers. Providers have a strong and direct financial motivation to place security at the top of their priorities.
I am not naive enough to think this plays out evenly across the cloud market. I see the most direct correlation with IaaS, largely because those providers are fighting primarily for the enterprise market, where security and compliance are deeper requirements. PaaS is the same way at major IaaS vendors (which is incredibly common), and then prioritization drops off based on:
- Is it a developer-centric tool, or a larger platform?
- Does it target smaller or larger shops?
SaaS is pretty much the Wild West. Major vendors who push hard for enterprise business are typically stronger, but I see plenty of smaller, underresourced SaaS providers where the economics haven’t caught up yet. For example Dropbox had a string of public failures, but eventually prioritized security in response – and then grew, targeting the business market. Box and Microsoft Azure targeted business from the start, and largely avoided Dropbox’s missteps, because their customers and economics required them to be hardened up front.
Once you understand these economics, they can help you evaluate providers. Are they big and aimed at enterprises? Do they have a laundry list of certifications and audit/assessment results? Or are they selling more of a point tool, less mature, still trying to grab market share, and targeting developers or smaller organizations? You cannot quantify this beyond a list of certifications, but it can most certainly feed your Spidey sense.