But it’s simply not true. Cloud providers have better security mechanisms in place and are more paranoid — and attentive — to security risks throughout their entire stack.
What public clouds bring to the table are better security mechanisms and paranoia as a default, given how juicy they are as targets. The cloud providers are much better at systemic security services, such as looking out for attacks using pattern matching technology and even AI systems. This combination means they have very secure systems.
It should be no surprise that the hackers move on to easier pickings: enterprise data centers.
The on-premises systems that IT manages is typically a mix of technologies from different eras. The aging infrastructure is often less secure — and less securable — than the modern technology used by cloud providers simply because the old, on-premises technology was designed for an earlier era of less-sophisticated threats. The mixture of different technologies in the typical on-premises data center also opens up more gaps for hackers to exploit.
Because on-premises systems are aging, their intrinsic security can be easily defeated by hackers. Moreover, the number of attacks increases weekly, and defenses need to be proactive — more proactive than most enterprise IT organizations are, and likely more proactive than they can each individually afford to be.
The most recent high-profile data center breach, at the Hilton hotel chain, is an example of those old systems’ vulnerability. I’m sure Hilton has invested in security over the years, but it still doesn’t know exactly how the hackers got in.
The public cloud has the advantage of being less complex and not dependent on older technologies. At the core, it’s a more secure platform.
But you are safer in the public cloud only if you put good security planning into your public cloud deployments, augmenting what the cloud providers do. For example, you should use encryption and IAM-based security.
The bottom line is that any system, whether cloud or on-premises, is only as secure as the amount of planning and technology that goes into the data and applications. Cloud providers have done a better job, both because they have to and because their newer technology makes out easier for them to do so. IT should be taking advantage of that cloud security focus, not ignoring it.