Large scale public/private Cloud is generally more secure but you can be the weakest link just like with on premise.
Many Senior Cyber Security Managers argue that large scale mass market public/private offerings like Microsoft Azure, Amazon Web Services, Rackspace Cloud etc. are very secure and often are more secure than running in-house servers. Why? Because they have larger departments designing the architecture, implementing isolation and monitoring. To compare, a FTSE 100 firm may have a handful of monitoring staff whereas the names listed above have tens of operations staff.
This, however, does not always apply to small to medium scale cloud offerings generally. Many do not offer the above secure online backup. Many companies do use high security data centres and sell themselves as ultra-secure but only have high physical security. Who is really going to break into a data centre these days? People used to break into data centres (and still do) to steal hardware to sell on the black market.
Take two 'normal world' scenarios:
- You rent a high security bank vault which by default is very secure but you leave the keys out along with the PIN on a Post-it note next to them. Thus, the high security is greatly reduced by you.
- You get your house fitted with a bombproof door and bullet proof windows and leave one open. Top security out the window. The same applies to the Cloud, if by yourself you configure it poorly then it is made less secure.
Yes the data centre has good physical security, dual power feeds + dual generators + dual UPS's, data replication, logical isolation which is likely better than what you implement in-house and more. Poor coding which leads to application layer vulnerabilities or poorly configured firewall rules are the same if you use a reputable Cloud provider or run it on physical or virtualised servers in your own data centre.
The better logical isolation setup by default by the Cloud provider will hopefully mean it will not spill to other clients or other virtualised server endpoints you rent but a breach is a breach. Many companies' information require encryption which in many cases can be pointless since they often offer 'at rest' protection and think about it, how many people are going to break into a data centre and steal a SAN drive? Plus, data from a single SAN drive would be hard to use.
Bitlocker and Microsoft SQL TDE (transparent data encryption) offers little or no protection from an attack 'over the wire' and offers more protection from someone pinching the entire physical hard drive. The concern should be someone getting onto a server through SSH, RDP or more likely a SQL injection attack. Only a few specialist products offer protection for these scenarios and cost a fair amount to implement.
Best practice such as: code scanning, pen testing, inbound + outbound + internal firewalling, web application firewall, antivirus, endpoint hardening, authentication, using the latest software, monitoring, strong ciphers, patching, whitelisting, privileged account control and more are still a necessity. So, the next time you use the Cloud to be more secure and reduce cost do not be complacent, get a specialist to review and secure it, followed by an application and infrastructure pen test.
To support with Cloud Security skills, QA offer the Certified Practitioner Certificate in Cloud Security. This GCHQ certified course is focused on Cloud Security, encompassing Cloud Security Architecture, DevSecOps, Data and Assurance aspects, Governance, Cloud Security Operations and Web Application Security.

Graeme Batsman
Graeme joined QA in 2017 and has worked in security on and off for 15 years. His last role was as a Senior Technical Security consultant at Capgemini covering the public and private sector.
From the age of 17, he was running investigations into online scams and phishing. Today he teaches and/or has written: CEH, OSINT, CTF (conventional or OSINT), CyberFirst, practical encryption and Security+. Graeme is an avid writer with 130+ articles to his name and a chapter in a published book.
He loves thinking like a hacker to review and tweak settings with a fine-tooth comb.
More articles by Graeme
Shadow IT during Covid-19: Do not let your employees decide which apps and tools to use
If you don't take control, your remote-working teams may be putting your IT infrastructure at risk of hacking or loss of data…
29 May 202011 cybersecurity tips for more secure home-working during the Covid-19 outbreak
Keep your company and personal details safe while working from home. QA Cyber Security Technical Consultant Graeme Batsman of…
23 March 2020Hostile reconnaissance: What is it and how do we stay safe?
Shhh! Cyber attackers often use hostile reconnaissance in the physical world to find a way into an organisation. So what is h…
29 January 2020My partner is a landscape gardener – who would want to hack me?
You may think your small business would not be interesting to global cyber crooks. But you may have a client or supplier who…
29 January 20207 cybersecurity tips for wedding photographers – or anyone, really
QA Cyber Security Technical Consultant Graeme Batsman looks at why cybersecurity is important for photographers, especially t…
29 January 2020Cyber Security for everyone - what we all should know
In May the security of the official Sussex’s wedding photographers was breached, and private photos were released. This highl…
05 September 2019Cyber Attacks - Most of them are not as high-tech as you'd think
Hackers have a reputation for using complex technical means to gain unauthorised access to digital systems. However, low-tech…
05 September 2019Cyber risks are too often ignored by management
Project Managers and top management need a better security understanding to allocate resources and to sign off technical risk…
14 November 2017Rise and Fall of Bitcoin
With the popularity and value of crypto currencies growing, so do the security and anonymity concerns.
01 February 2018Endpoint and network firewalling needs to change
QA Cyber Security Trainer, Graeme Batsman, discusses how you need to focus on outbound as much as (or more than) inbound rule…
03 April 2018