Werner Vogel, Amazon Web Services (AWS) CTO, speaking at the AWS Summit in London yesterday has made the rather amazing claim that security in the cloud is "much stronger" than anything you can have on-premises. As someone who has been writing about information security for more than 20 years, and covering the cloud security beat for five, I can understand why he may say that. However, it doesn't mean that he was right; not for every customer, not for every implementation.
If you are talking about the smaller end of the SME spectrum then, for the most part in my experience, there's a very good chance that the kind of dedicated security know-how and infrastructure investment available from the likes of AWS is beyond the reach of the average business. If you are talking about larger enterprises, which do have dedicated security teams and have already invested heavily in the relevant infrastructure and processes, well sorry Werner but that's a totally different ballpark.
It's one thing for Vogel to dismiss hybrid cloud, and I think he's got that fundamentally wrong as well, but to make such simplistic and wide-sweeping statements concerning security in the cloud is pretty much unforgivable. It's the kind of thing I hear on a daily basis from marketing men and product directors, but would not expect to be coming out of the mouth of the CTO of such a large player in the cloud space. Sure, AWS thinks it is pretty clued up when it comes to the importance of data encryption with the option of enabling customer generation and management of keys using CloudHSM for example. Which could be OK as far as 'at rest and in flight' encryption is concerned, and also could be OK for data storage in the cloud. Not so OK, from the 'more secure than your on-premise solution' perspective when you want to do something with that data in the cloud though.
Something like, well, processing it. Until the promise of Homomorphic Encryption is realised then, frankly, the cloud is not going to be automatically more secure than your on-premise set up. As soon as data processing in the cloud comes into play, and your encrypted data has to be decrypted, then all the security in the world amounts to nothing; all you have left is trust that the organisation holding your data and enabling the processing is not peeking at your plaintext data, and is not allowing someone with a court order to do likewise.
This is the single point of failure in the "our cloud is more secure than yours" argument, this is why such statements are not helpful in moving forward the cloud security position. Werner Vogel has made the mistake of conflating security and risk, the two are not the same thing. The risk to data may be acceptable, that does not make it secure and it certainly does not make it "much stronger" than an on-premise solution in anything like every instance.