Enterprises Now Consider the Cloud at Least as Secure as Their Own IT

Thoughts about digital transformation and AI for enterprise leaders and their legal & compliance advisors

These posts represent my personal views on enterprise governance, regulatory compliance, and legal or ethical issues that arise in digital transformation projects powered by the cloud and artificial intelligence. Unless otherwise indicated, they do not represent the official views of Microsoft.

Until quite recently, the most common objection that CEOs and CIOs raised to moving their critical enterprise IT applications to the cloud came down to one word: security. Heard around the world and echoed in countless media stories, the refrain was always the same: we like the flexibility and scalability of the cloud and we love the efficiency of its pay-as-you-go business model, but we have a visceral fear of putting our critical data in someone else’s data center, a remote facility that we not only don’t control, but that is shared by many other users (including our competitors) and that we aren’t even allowed to enter.

I don’t recall ever seeing a study offering any actual evidence that the cloud data centers operated by providers such as Amazon, Microsoft, or Google are less secure than those operated by large corporations or government agencies. But the belief was tenacious and widespread, and not only among CIOs. Today, however, things are different, and I have some new data to prove it.

But first the backstory. My team at Microsoft has been heavily involved in helping senior executives who have compliance roles in their companies understand the cloud. These Compliance Decision Makers (or CDMs, as we call them) can have titles ranging from Board member to General Counsel to Chief Privacy Officer. They are not involved in day-to-day technology operations, but they have oversight responsibilities for certain key IT functions such as cybersecurity and compliance with data privacy regulations.

In 2016 my team at Microsoft decided to sponsor a study by IDC to find out how these enterprise Compliance Decision Makers perceived the cloud. We surveyed over 1,000 organizations in 16 countries, ranging in size from 500 employees to over 50,000. The results showed that the vast majority were already using or expected soon to adopt cloud computing. But we also found that trust and above all security were still the top-of-mind factors for deciding which applications and data could move to the cloud and which should remain on the enterprises’ own premises. Overall, about two thirds of all respondents to our 2016 survey told us that they still considered their own on-premises data centers to be more secure than the cloud.

As you can imagine, this ambivalent attitude on the part of cloud users concerned us, because we had the utmost confidence in the safety and security of Microsoft’s cloud services, and we felt that our customers should share that confidence. To be sure, no IT system can ever be 100% secure—perfection does not exist. But we knew our cloud was at least as secure as the data centers of our most security-conscious customers—and we felt we had good reasons to believe it was in most cases even more secure.

Last year we asked IDC to conduct another survey for us on the question of cloud security. The new study delved into many interesting questions and focused on Compliance Decision Makers at 200 large U.S.-based organizations (all with 1,000 or more employees). We’ll publish more results shortly, but today I can share with you the one data point that I find most significant:

Today, the vast majority of enterprises rate on-premises IT and the cloud as equally secure.

Specifically, 86% of our 2018 survey respondents said that their on-premises IT was very secure, while 82% and 80% said the same for their cloud-based applications (SaaS) and infrastructure (IaaS) respectively. Although all three numbers are high, you may be tempted (as I was at first) to read into these slight differences a trend favoring on premises IT. But our resident statistician assures me that these differences are in fact not statistically significant.

The shift in enterprise views of cloud security in just two years is substantial: From a two-thirds majority believing that on-premises is more secure in 2016 to four out of five believing that on-premises and cloud are equally secure in 2018. What explains such a large and rapid shift? Certainly greater familiarity with cloud services is part of it. The economic and technical advantages of cloud are so compelling that essentially all large enterprises today are using it to deploy one or more serious enterprise applications.

But I think there is another factor, namely the rising challenge of regulatory and standards compliance. Regulators around the world, led by Europe and its General Data Protection Regulation (GDPR) which entered force in May 2018, are implementing tough new requirements for data protection. At the same time, globally recognized standards bodies such as the International Standards Organization and the U.S. National Institute of Standards are producing new and more rigorous standards for cybersecurity. Achieving and maintaining compliance with these regulations and standards is extremely challenging in both technical and organizational terms. Enterprises of all sizes are increasingly realizing that they cannot meet the burden of compliance alone. And this is where the cloud comes in with its growing potential to help enterprises reach their data protection and cybersecurity goals.

At Microsoft we devoted vast engineering resources and policy expertise over a multi-year period to ensure that our entire product line—including our enterprise software offerings and our cloud services—complied with GDPR. And we are doing the same for all the major cybersecurity and data protection standards, whether developed by general-purpose bodies such as ISO and NIST or for specific vertical industries such as financial services or healthcare.

And it’s not just a matter of building the right features into our products so that our customers can comply with these vital regulations and standards. We also deploy our own resources and skills to take the fight directly to cybercriminals. All told, we are investing $1 billion per year in cybersecurity. Much of this money goes to the constant reinforcement and refinement of the many cybersecurity measures built into our global cloud infrastructure.

The tremendous scale of our cloud means that we see many things. This gives us unique insight into the many threat actors who lurk in global cyberspace and how to combat them. Each day our security algorithms analyze 6.5 trillion signals and each month we block more than 5 billion malware threats. Last but not least, we are investing in the right people. We currently employ 3,500+ of the world’s top security professionals, including nearly 2,000 PhDs, and those numbers are growing. In short, it’s fair to say that Microsoft is “all in” on cybersecurity.

The challenges of meeting cybersecurity and data protection requirements are only going to grow in the coming years. That’s why I’m willing to bet that the next time we survey enterprise users they will tell us that they have finally come round to what we always believed: that the cloud is the most secure place to put sensitive data and critical enterprise applications.

Microsoft has published a book about how to manage the thorny cybersecurity, privacy, and regulatory compliance issues that can arise in cloud-based Digital Transformation—including a section on 360-degree security. The book explains key topics in clear language and is full of actionable advice for enterprise leaders. Click here to download a copy. Kindle version available as well here.