It would be great if there were an easy yes or no answer. But it was never going to be that simple.
The truth is, it depends. And with the average time it takes to contain and identify a data breach being just over nine months, and the average cost of a data breach at $3.86M, according to IBM, the stakes depending on it are pretty high.
It depends on how much you trust the alternative of storage hardware. Your USB sticks, memory cards, external hard drives, network-attached, and other on-prem servers could get lost, stolen, damaged, or have a manufacturer fault that results in the loss of your data. Cloud does not have these potential issues.
People can be phished, cloud can’t
One of the advantages of cloud storage is the lack of human interaction and interference. When cloud data is hacked, the majority of the time, it’s down to human error. Kaspersky Lab published research in 2019, which found that 89% of SMBs and 91% of enterprises have experienced a data breach on their public cloud due to a social engineering attack.
Jonathan Sander, Security Field CTO at Snowflake said he’s noticed a trend in cloud storage towards heavy automation and orchestration. This leaves the human, who is prone to being phished and scammed, out of the loop and thus the data more secure.
“Removing humans from the equation as much as possible is always an excellent security principle,” Sander told TNW. People can mitigate the risk of being the weakest security link, with any type of storage, by using multi-factor authentication, difficult passwords, and a password manager.
Top-notch security features
On the topic of excellent security principles, data cloud storage was designed with embedded security measures. These features include automatic security updates and patches, built-in firewalls, encryption, and AI vulnerability detection. Another reason why those who put their data in the cloud can rest easy is automatic backup, which means if any data is accidentally deleted it can easily be restored and recovered.
Cloud data storage also benefits from economies of scale. Individuals and smaller organizations simply would have a harder time of configuring, monitoring, and maintaining perimeter security by themselves, Camilla Winlo, Director of Consultancy at DQM GRC told The Next Web. This lack of capability may be down to not having the skills and experience to do so. Winlo also said that smaller organizations might not have the resources to assess and monitor asset management by a cloud provider, in which case the third party storage provider would provide a better service than the organization than if the organization were to self-serve on site.
Checked and vetted
Furthermore, there are the external audits which are used by cloud data providers to keep themselves in check. Sander says Snowflake is constantly under audit by third parties to meet governmental, financial, and other institutional standards. Winlo advised that organizations should look for cloud data providers that have current security certifications, such as ISO/IEC 27001and should also look at the executive summaries of auditors reports, to gain a sense of security before selecting a provider. Unfortunately, these reports are often bound by non-disclosure agreements she added.
These advantages are numerous but as with anything, there are issues to take into consideration. For 524 organizations around the world analyzed by the IBM Data Breach Report, the root cause of data breaches for 52% was malicious attacks, for 23% it was human error, and one in four caused by system glitches. It should be noted that 19% of the companies that suffered a malicious attack had been infiltrated due to stolen or compromised data for which a human could have been at fault somewhere along the line.
The report also states that for 19% of data breaches caused by malicious attacks the initial threat vector was misconfigured cloud servers. And 16% of data breaches caused by malicious attacks had vulnerability in 3rd party software as a root cause.
Another concern about putting data in the cloud is loss of data governance. Data governance is a series of processes and policies that sets out the data strategy, security, regulation, quality, and insight. Handing over part of the data governance responsibility to a third party means an organization loses some control and has to consider the risk of doing so by assessing the level of expertise of the storage provider, said Winlo.
To Snowflake, data governance is about knowing your data, controlling your data, and streamlining the two. According to Sander, his company has a mature data governance program that is robust enough to pass the audit inspections. “We promise our customers that we meet governmental, financial, and other institutional standards so we audit on a regular basis. Having mature data governance internally is the only thing that makes it possible for us to do those things,” he said.
How could cloud be better?
As with any burgeoning innovation, there is room for improvement among cloud data providers. Winlo explained that improved transparency and better risk assessments would be the biggest changes that would improve the security of cloud storage. The reason for this is: “It’s difficult for organizations to perform as thorough risk assessments for third party clouds as they can for an on-prem solution – as third party clouds are essentially black boxes,” she said. However, she added it’s worth bearing in mind that if an organization does not have the skill to perform such risk assessments on the third party, the storage provider probably has a greater security level than the organization could maintain alone.
Organizations end up in a Catch 22. The sophisticated and complex security measures and asset management enacted by the cloud storage provider would put a lot of organizations at ease about store storage. At the same time, the security measures may be so sophisticated and complex that the organization is unable to scrutinize or monitor them for a thorough risk assessment, which could lead to a decrease in trust.
In 2019, 48% of corporate data was stored in the cloud, according toStatista, which was up from 30% in 2015. So just under half of enterprises have enough trust in the cloud to put critical information in the hands of cloud data storage providers. Despite the considerations that need to be taken with cloud data storage, its popularity is growing and it is probably a safe bet to say that trust is keeping pace.