Why Coupa?Watch Now
Coupa is a company of talkers, passionate about sharing tips, tricks and advice for improving finance and procurement and saving companies of all sizes time and money. But we’re not the only people with opinions and ideas. We’d love to hear from you so join the conversation!
- September 12, 2016
- Shaun McAravey
- IT & Technology
Even as the cloud industry grows and adoption becomes more widespread, worries about whether the cloud is secure persist. There’s a lot at risk: financial losses, lawsuits, your company’s reputation, and possibly even its very existence.
To protect all that and really do security well in today’s business environment requires highly specialized people and technology. What the cloud provides right out of the box is much more comprehensive and sophisticated than most individual companies could ever hope to match, and at a much lower cost. Here, specifically, are the reasons why cloud vendors do security better:
1. Regulatory compliance
With all the local, national, international and industry-specific regulations that are in place today, every business has to deal with many different compliance requirements, each requiring specialized knowledge and expertise. Building your own compliance infrastructure is expensive and outside the core competence of most organizations, and there’s a lot at stake if you get it wrong.
Many areas require periodic audits for third party certification. If you don’t pass, you have to go though a remediation process and there is potentially a black mark against your reputation.
Cloud providers have teams of experts working to maintain compliance in more areas than you probably need or even know about. You get instant access to this compliance infrastructure out of the gate. Their teams of handle all the audits. You can download all the certifications and audit reports you need to demonstrate compliance to your own stakeholders. The costs of the people and technology to do all of this are amortized across thousands of customers.
Most people are familiar with authentication, also called identity and access control. We've seen some very big data breaches over the past decade. Poor access control was often the cause. Most companies have difficulty getting this right at a basic level, and can’t even come close to what the cloud can provide for advanced functionality and security.
The fundamental problem is the way applications are built. A directory that more or less mirrors the company hierarchy is usually the foundation for giving people permission to access different systems and documents according to their role. It can get very difficult to manage, so many companies don’t take it to the level of granularity needed to make it really secure. With cloud providers, world-class identity and access control management is available out of the box, without compromising on granularity of control.
Cloud-based directories can also allow for single sign on, even in hybrid environments. What that means is that if you're authenticated in one environment you don't have to enter your user name and password again.
This is convenient for users, but again very difficult for individual companies to do right.
There’s an awful lot of complex code that needs to get written, so people take shortcuts, especially with internal applications. There’s a temptation to say, "Hey, they're logged in to our domain. That’s good enough.”
Single-factor authentication requires something you know, typically your name and password. However, people choose poor passwords, and username/password and login information is relatively easy to steal. That's why we have so many security breaches.
Multi-factor authentication is a much deeper, more secure process and a very desirable feature, but even harder to implement. It requires something the user knows and something they have, such as a verification code that is texted to their phone, or a link in an email that they have to click.
This is again is the kind of thing that you get relatively simply in the cloud.
Encryption is when you systematically scramble data so that nobody can read it unless they have the code key to unscramble it.
There are two places that data needs to be encrypted: In transit, when it’s traveling back and forth, and at rest, when it’s stored.
In transit, we have industry standard transport protocols, such as https, which you've seen on your browser. The little lock icon tells you that communication between you and the server is encrypted.
What’s also important is encrypting the traffic between internal servers behind your firewall. This is another place where companies take short cuts because encryption requires specialized mathematical expertise, and they believe it’s not necessary because communications and data behind the firewall are secure. That’s not necessarily so.
Something like eighty percent of all data breaches involve an inside component--someone inside the organization who has installed software to steal information. This is trivially easy for a person of average technical skills to do when the data is not encrypted.
What cloud providers do is set up virtual networks that are not accessible to anyone within your company and all the traffic between machines in the cloud is securely encrypted. This level of security is a standard part of the infrastructure of all major cloud providers.
4. Key management
When you encrypt information, sometimes you have to decrypt it. To do that requires an encryption key, which has to be stored somewhere. The question is where do you store the key? If it’s stored locally, there’s a risk that internal people can get access and steal it.
Most cloud providers offer a service called a key vault, which they manage. It’s a very important piece of security infrastructure, again not easy to do well locally.
5. Threat management
External attack detection is another, separate security discipline, and one where it’s hard for an individual company to stay on top of its game.
Though the odds of your company experiencing one are small, denial of service (DOS) attacks are a relatively common way to attack a business. A DOS attack could be related to industrial espionage, but there is also a bit of an anarchist hacker community and this is a way they make mischief.
The idea is to send so much traffic to your machines that you don't have enough resources to deal with your legitimate traffic. Nothing is breached, but for all intents and purposes your site is unavailable.
If you’re managing your own infrastructure, you have to have resources to both detect and fend off these and other kinds of attacks on your servers. But since this is a once in a blue moon event for most companies, readiness to respond to these threats is likely to be poor.
However, external attacks are a routine occurrence for a cloud provider. An attack that would overwhelm your servers might account for .05 percent of all their traffic. When they detect an attack attempt, they prevent these packets from ever reaching your server. Since your website never sees that traffic, it remains available and responsive. It’s automatic and invisible. Unless you check the log reports, you may never even know it happened.
Hackers are constantly discovering new ways to break into operating systems. Vendors such as Microsoft and Apple are constantly are issuing patches to close these security holes as they are discovered. If your computers are your own, your staff have to constantly monitor security advisories and keep patching machines to stay up to date.
With cloud services, the hosting provider does all the security bulletin management and patches the machines. They have dedicated staff and processes in place. That’s a whole cost center that is no longer necessary for you to deal with.
7. Server failures
Modern servers are very reliable but individual computers do fail. If, for example the hard disk in your server is rated at 5 years MTBF, this means that on average a disk will fail every five years. If you have a dozen servers, you probably don’t deal with it very often, but when it happens it’s a fire drill.
Cloud providers with hundreds of thousands of servers have a dedicated team with a lot of technology at their disposal working on keeping the hardware running all the time. If server starts to exhibit signs of impending failure, they’ll move everything to another server and decommission the failing one, most likely without customers ever noticing.
8. Logging, monitoring and reporting
You may not be able to see the servers in your data center, but you can see exactly what’s going on with your systems at all times, maybe even more than you could if they were on premise.
Cloud providers offer great tools for monitoring what’s going on with your infrastructure and/or application. You can look at relevant log data from your applications or systems (depending on the cloud service type you use), to see who’s doing what, if there were any threats. They have reporting tools for almost anything you’d want to report on. Building that kind of comprehensive monitoring, logging and reporting infrastructure in your own environment is expensive and time consuming. With the cloud, you can go in any time and pull down any number of pre-configured reports.
As you can see, there is an incredible amount of hardware, software and human knowledge and expertise needed to keep a company secure today.
Even if you could find all the right people – and that’s a big if, because you have to understand all of this yourself at a deep level in order to make the right hires – why would you when a cloud provider can do it better, cheaper and faster?
None of this is core to your business, and as the saying goes, you can’t sell security. Your customers simply expect you to have it. They’re not going to pay a premium for it. That’s what it really comes down to. There is a cost to getting these things done right. Even large companies with lots of resources are choosing cloud, because they choose to spend their IT dollars a different way.
Now that you know the specifics, the question really shouldn’t be why a firm would put its infrastructure in the cloud. A better question is, why wouldn’t they?
Shaun McAravey is co-founder and CTO of Nvoicepay, a Coupa partner. He is also CEO of Easypower, a maker of software for power system design, and CTO of SoftSource Consulting, which provides application development and security services to Fortune 100 companies.