I always thought this question was simple, especially for a small organization, meaning that security in the cloud is better, if only because the IT guys and gals running the cloud service are likely to be better educated regarding security best practices, uptime, and performance (including the know how to set up data centers that can fail over across multiple continents) than a guy working out of his van. The example is a caricature, I know, but I think you get what I’m saying. However, some recent reading and ad-hoc conversations with friends and family indicate that the answer to the question, “Is the cloud more secure than on-prem?” isn’t a slam dunk for non-technical folks that read about the latest technology breach every morning with their coffee.
The issue of whether or not the cloud is inherently unsecure is dealt with thoughtfully in the following article: The Cloud – Is It Really a Security Risk?
The biggest advantage in cloud computing for IT security besides the strategic sourcing of services is that cloud service providers are potentially better at IT operations than an organization can be. That is especially true for SMBs. Large providers with large data centers promise availability and data security – and many of them fulfill that promise. In addition, cloud services might as well help in improving IT service delivery. External backups, sort of “redundant data centers” built on IaaS (Infrastructure as a Service) offerings, or just the ability to offload peaks in resource consumption to the (external) cloud are some examples.
…On the other hand there are some areas that aren’t at the center of attention right now but should be. How about privileged access? How about authorization? How about auditing? How about enforcing SoD (Segregation of Duties) rules across multiple services? These are aspects that have to be covered in service descriptions, requirements definitions, and SLAs as well.
The article is worth reading. Personally, I’m going to have to be a little more patient with those who have yet to jump into the cloud (even if, in my opinion, it’s just a matter of time before we’re all there), and understand that their reservations aren’t totally unfounded.