Is cloud safe?

Sometimes I hear "We won't go to the cloud because it's safer in our server room." Of course, this is not one reason why someone may want to "stay at home", but I would like to give you some ideas to think about security in a cloud vs. on-prem.

Well, on-premise servers are under our control, no one will come in and take out a few disks or connect from his/her laptop whilst we can’t be sure in the cloud. Correct? Em, the main entrance to the server is not "by foot" but via the network so you can hire the best security team in the world with dogs and barbed wire and even cannons and it will still not work if the admin sets the password "123456". Cloud Data Centers have the physical aspect of security no worse than in a bank, and more importantly - they test it regularly. Now a question: when was the last time you hired a team to check this part of security, for this team to try, say, take the keys from an authorized person, arrive in a van painted as a "HVAC service” etc?

Now a bit about servers. Your hardware is your responsibility, straight as a die, right? Fans, disks, switches, and a million different parts - all that is your responsibility. And zero of this burden in the cloud. Also, the wholesale price of disks for a global cloud service provider vs the price even for a large company will differ, and I’m sure you know who’ll get a better price. I won't be surprised at all if it turns out that the largest providers have their own factory of such disks, considering how many of them are needed. After all, they build their own processors, so why not disks??

About what's running on the servers. Operating system. Hypervisor. Someone has to manage it. If we have 10+ servers then it makes sense to have dedicated people to constantly learn, watch servers, and repair them. On the other hand, a cloud service provider has hundreds, not of servers but of Data Centers, as a result, their team(s) are more experienced and have written so many automation tools that they need significantly fewer people to support the same number of OSs as an average company.

What do we have on those operating systems? Our beloved (or not so) applications, of course, also - databases, queues, Kubernetes, and other stuff, that we did not develop but which are necessary. When was the last time you checked that your wonderfully awesome database was updated on an ongoing basis and you didn't have any technical debt? In the cloud, you practically don't have to worry about such things, as long as you choose not a database on a VM but a managed service database. The cloud provider will take care of this even if you have problems with hiring a good specialist. Even more: if it fits, makes business sense etc, etc - we can go serverless and not worry about servers at all! This does not fit every use case, you have to approach it (like everything else) carefully, but there are many examples where it makes sense.?

A lot of text above, now some numbers. In 2021, technology giants Amazon, Microsoft, Google, IBM, and Apple declared a total investment in cybersecurity worth over $30 billion. How much had your company invested in the same then? Who will have better results?

In 2022, AWS invested $10 million in just one product. What product of yours enjoys similar attention?

One more example: AWS prides itself on having and regularly confirming compliance with 143 (one hundred and forty-three) security certifications and standards around the World. I apologize to fans of other hyperscalers (GCP, Azure) - I believe they have it similar, but I don't have the numbers at hand. How many audited security certificates does your company with its own server room have?

The security department of each of the three leading cloud providers has more than one thousand people, they effectively fight every day with such a number and variety of attacks, from physical to AI, that we can hardly imagine, gaining experience and accumulating knowledge. Can you boast about even a tenth of this?

"Enough! Company X went to the cloud and it was a disaster!” - it happens, but before saying "I won't go there", it is worth understanding why it happened. Cloud resources are a shared responsibility, and again, if we set the password "123456", it will not make any difference if we are in the cloud or on-prem. Similar errors occur due to lack of knowledge and the assumption that "the cloud will do everything for me" or "I will do it later, somehow". This approach, of course, may result in "spectacular failure", so we must learn that on-premises experience is categorically not enough. One more keyword: FinOps. Yep, it’s very similar to DevOps, and both make sense.

Bottom line: from my standpoint, the biggest mistake during the cloud adoption is to think that it is just another server room. This will have both quick and long-lasting effects, but always negative. Teach your people, look for knowledge and experienced people - and then the cloud will be safe (and profitable) for you.?

Written by me, human.