Cloud computing is generally more secure than installing or hosting your IT assets onsite. This is mainly due to the fact that cloud hosting companies can afford to implement the most advanced security measures and hire the most knowledgeable and experienced IT security personnel.
It would cost a business hundreds of thousands of dollars, at least, if it wanted to implement the same security measures and hire the same security personnel as the cloud provider to protect its own onsite IT assets. With the cloud, businesses only have to pay a small percentage of the cloud hosting company’s total security costs, since they are sharing the costs of these security measures with the hosting company’s thousands or millions of other clients.
For example, many cloud hosting companies develop and use their own ultra-secure or “hardened” hosting platforms that don’t have the same vulnerabilities and aren’t as well-known to hackers as commercially-available server operating systems and hypervisors (virtualization software).
Their datacenters have fortress-like physical security, with 24x7x365 patrolling security guards, card readers or palm or fingerprint readers, closed circuit video surveillance systems, and impenetrable steel doors.
The electronic measures that hosting companies use to protect their hosted solutions from malware and hacking attempts include:
- Network encryption
- DDoS mitigation solutions
- Content filtering (which prevents users from accessing inappropriate websites)
- Spam filtering
- Gateway antivirus (an antivirus solution that prevents malware from entering the hosting company’s network)
- Intrusion detection and prevention systems (IDS/IPS)
- Patch management (which involves applying updates to applications and operating systems to remove known vulnerabilities)
Businesses that install or host their IT assets onsite also use many of the same electronic security measures, but the ones that cloud providers use are usually more advanced, either because they’re the more expensive, “enterprise” versions of these products, or because they’ve been extensively customized or reconfigured by the cloud provider in order to maximize security.
For example, while an individual business might use the rudimentary firewalls built in to its routers or the free software firewalls included with all Windows operating systems, a cloud provider might purchase multiple $2,000+ hardware firewalls with built-in antimalware, spam filtering, content filtering, and IDS/IPS, and configure them so that they provide optimal protection from external security threats.
Cloud providers also implement more internal security controls than most individual businesses. They have clearly defined security policies and procedures, which are basically internal rules or instructions that determine:
- The security measures that need to be implemented
- How these security measures need to be configured
- The correct response or series of responses to common security incidents, such as malware infections or intrusion attempts
- The security roles and responsibilities of each employee
- The permissions of each employee, which determines which parts of the cloud providers’ system that the employee can access
- The process for reviewing and changing these policies and procedures
The cloud providers teach these security policies and procedures to all new employees. Noncompliance isn’t tolerated; if an employee fails to obey these policies and procedures, he or she will be disciplined or possibly dismissed, depending on the nature of the violation and the employee’s history. To ensure compliance, all employee activity on the cloud provider’s systems is logged.
Lastly, the cloud provider hires IT security specialists such as chief security officers, security engineers, and information security analysts (who all have salaries of $50,000+ per year), who have a lot more IT security knowledge and experience than the average in-house IT employee, and know how to maximize the effectiveness of the provider’s security measures, policies, and procedures.