Where I work we have several cloud based applications in use by the workforce. About 18 months ago, we were involved in some discussions about cloud security and in that conversation, it was mentioned by one of our security experts that an organization’s information might very well be more secure in the cloud than on premises in the data center. Two weeks ago, I had another conversation with two outside security experts and when I shared that same thought, they both agreed. That made three serious security experts who felt things might be more secure in the cloud rather than on premises.
This is not the commonly held thought by many.
The reason these experts felt things might be more secure in the cloud is that the cloud vendor likely has far more expertise and equipment online to protect your information than a company can afford to put in place to protect that same information in their own data center. Yes, in the data center your email or whatever is protected by your firewalls and whatever detection tools you have in place and it is protected by your administrators who you trust. But likely you only have 2-3-4 security experts doing the work where the cloud vendor might have 200-300 experts doing the same thing. Furthermore, the vendor has their reputation and their business model based on their security being solid, i.e. it is critical that they keep it secure.
An enterprise, organization, company, school or business has thousands of things to protect and likely only a handful of people dedicated to that protection. Quite probably its internal security is not as good as it thinks and there are risks to that internally hosted information that are not fully appreciated.
Clearly there are security issues with both approaches and nothing is perfect, but these thoughts are certainly interesting.
Would love to hear your opinion.