Cloud Mythbuster: Security in cloud – Sorting facts from gut feelings

Post • 6 min read

We recently collaborated with AWS on a survey of cloud adoption in Finland’s public sector. Given the Finnish government’s advice that agencies go cloud-first where possible, the results make interesting reading when it comes to what’s blocking progress.

This article is the second in our Cloud Mythbuster series where we delve into blockers and how to overcome them. (You can read the first article on data protection here.)

Here, we bust 3 security myths that emerged from the survey and look at how public sector agencies can drive their cloud journeys and digital service development in a way that mitigates risk.

Can you trust public cloud’s security?

The myth

The survey revealed uncertainty about which offered more robust security, on-prem or public cloud, with 38% of respondents unable to say which was more secure. This confusion was particularly pronounced among respondents from ministries and health agencies. 

Some respondents said that the security level depends on the service provider rather than the technology itself. And the fact that there’s no legislation or defined standard of what security requirements should be in place for the public sector also made agencies hesitant.

Ultimately, people and processes rather than technology were at the root of the misconceptions around security levels:

  • Skills – Security management in cloud is different compared with on-prem, which means it involves new skills and ways of working. But as long as you have the right governance, support and upskilling in place, public cloud generally makes it easier to achieve more robust protection
  • Security governance – by this we mean the policies, processes and frameworks you use to manage security across prevention, detection, response and remediation. You need to govern security management whether you’re on-prem or in the cloud, and the effectiveness of your approach will be rooted in this

The facts

The question we always ask in this situation is:

‘Do you have better technologies and processes to protect servers than public cloud providers do?’

The answer nearly always ‘no’ because hyperscalers have economies of scale when it comes to developing and deploying the latest capabilities to enable the Confidentiality - Integrity - Availability (CIA) Triad. As a result, they’re better able to stay ahead of the curve in the fast-moving cybersecurity space.

Here are 4 important ways public cloud enhances your security posture compared with on-prem:

  • Zero-trust methodology – Zero trust is one of the most secure methodologies. It involves doing away with implicit trust and constantly validating every level of digital connection to safeguard the organisation. Zero trust is the default for public cloud, and it’s much harder to implement and maintain this level of security yourself from scratch
  • Automation – with public cloud, you can go into fine detail of how assets/data/functions are protected, who has access and what controls and processes are in place. With functionality from hyperscalers, it’s easier to set up governance and enable it at scale
  • Tooling – Cloud providers have their own tooling and certified products and solutions in key areas like infrastructure security, policy management, identity management, security monitoring, vulnerability management and data protection, so you can incorporate best practices in essential areas. There is also a wide array of third-party solutions, which enhance these capabilities even further
  • In-built compliance – hyperscalers work closely with industry bodies EU authorities to enhance security and other services based on evolving best practices and regulatory requirements, including the NIST Framework for managing cybersecurity risk

One survey respondent summed it up nicely, saying:

“Cloud has good information security and is easier to adapt based on usage than on-premises services. New features or functionalities are brought in on the cloud side now. Nowadays, it’s difficult to get all the functionality in on-prem.” (Government agency)

However, that’s not to say you should be 100% in cloud. Data and assets with high classification levels may need to stay on-prem. The key is to ensure you’re taking the best classification approach (read more on that here).

Can other actors access assets in public cloud?

The myth

The survey flagged 2 elements of concern in this regard:

  • Vulnerability to cyberattack – which we covered in the first myth about the relative security posture of public cloud vs on-prem
  • Access to data – some survey respondents expressed concerns about foreign-owned corporations having an obligation to hand data over to their government authorities if asked

The facts

On the cyberattack myth – public cloud’s core function is to reliably store critical data and infrastructure for organisations. If a hyperscaler was not perceived to be a reliable partner, they would have a difficult time operating in an extremely competitive environment. Hyperscalers have some of the world’s largest attack surfaces for cybercriminals, and are therefore at the cutting-edge of security investment, with regular auditing by independent agencies.

On the government access myth – it’s just not true. Governments do not have direct access to the data. However, in cases of criminal investigations, government entities have been known to make data requests, which have then been handled case by case – with only information relevant to the investigation handed over (and with the data owner’s approval). 

If a court issues a warrant for cloud-based data as part of a criminal investigation, the hyperscaler then issues a request to the data owner. Because you retain ownership of your data, the hyperscaler can’t hand over anything without your knowledge. And the fact is – this is the same procedure that would happen with on-prem.

Do you give up ownership or control of your assets when you move them to public cloud?

The myth

The misconception here is that – because you’re using their cloud computing products and services – the vendor gains ownership and/or control of what’s being stored and processed.

The facts

You retain ownership of all your assets. Hyperscalers only store data/assets based on the agreed services. 

Under the shared responsibility model, the hyperscaler is responsible for the security of the cloud itself, and you’re responsible for the security of your data/assets/functions in the cloud. This means:

  • The hyperscaler – protects the infrastructure that runs its services: the hardware, software, networking and facilities
  • You – are responsible for the configuration and management of operating systems, network, firewalls, platforms, encryption, applications and identity and access management

In other words, you have complete control over the governance, encryption and access management needed to protect your assets.

In fact, a major security benefit of public cloud relates to your ability to control where and how your data/assets are secured – and to have back-ups in different locations. For government agencies that are part of Finland’s critical infrastructure, this is particularly valuable because you’re not dependent on data centre location for operational continuity. You can quickly and easily move data and functions if there’s a crisis, and you have the resilience that comes from more cost-effective back-ups.

As one survey respondent said:

“The cloud had been seen as riskier, but recently due to global events, e.g., the attack on Ukraine, we’ve started to see it is an opportunity for decentralising – which creates greater security. Our customers are now saying that hyperscalers’ huge machinery provides security, recognising that they have stopped most of the attacks even with the war in Ukraine. When you outsource to a large cloud partner, there is a different level of capacity and infrastructure to secure services.” (Municipal IT service centre)

Download the public sector survey report summary (in Finnish)

We recently worked with AWS on a survey of cloud adoption in Finland’s public sector. See the results from the survey by downloading the report.

Get in Touch.

Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.

Ilja Summala
Ilja Summala LinkedIn
Ilja’s passion and tech knowledge help customers transform how they manage infrastructure and develop apps in cloud.