Before delving into security challenges associated with different cloud types, let’s take a look at the big picture: cloud hosting vs. on-premises infrastructure. Which one is more suitable for your business? Frankly, both solutions have their benefits.
Dedicated Servers: More Control, Less Scalability
A dedicated server is a physical server that is purchased or rented entirely for your own business needs. Dedicated servers are typically used by large businesses and organizations that require exceptionally high levels of data security, or organizations that have steady and high demands for server capacity.
The main advantage of using a dedicated server is an unparalleled degree of control and security. On-premises infrastructure provides:
- Freedom of hardware choice. Unlike a cloud server, you can configure a dedicated one to the exact specifications by choosing the processor, RAM, storage and other features that best fits your needs.
- Better performance. In essence, cloud computing is IT resources delivered over an IP network so if your internet connection is slow, you can expect latency and reduced productivity. In contrast, in a local server your data has no long distances to travel, so you can access it faster. Therefore, on-premises servers are the best choice for optimal computing performance.
- Higher level of security. Since a server is a device that is physically at your business and connects directly, it can provide a higher level of protection for your data. With your own infrastructure, you know where your data is going and where it is stored. You don’t have to send potentially sensitive information through the internet, and it won’t end up on the hard drives of some server in a random data centre. Strict security is arguably the biggest benefit of dedicated servers.
- Reliability. Cloud outages are not uncommon. The internet-centric nature of the public cloud means that any disturbances at your ISP or on the wider internet can leave you without access to data. This is less of a problem with on-premises IT because you can still access files offline by physically walking over to a server if something goes wrong.
- (Possibly) lower costs. With a dedicated server, you can decide what and when to buy, whereas with cloud IT you’re bound by what a provider wants to charge for a key service. And as your company grows, economies of scale could also work in your favour, potentially making local servers cheaper than cloud ones.
Cloud Hosting: More Flexibility, Less Control
Cloud computing and storage provides capabilities to store and process user data in third-party data centres. Cloud servers can be configured to provide levels of performance, security and control that are similar to those of a dedicated server. But instead of being hosted on physical hardware that’s solely used by you, data resides in a shared environment managed by your cloud hosting provider.
The main benefit of cloud-based software and infrastructure is convenience:
- Cloud maintenance is someone else’s business. With a public cloud, all the hardware maintenance is taken care of for you: it is the service provider who is configuring new servers, replacing buggy components, and ensuring that security systems are working as they should. Furthermore, OS patches are rolled out automatically, which is a huge burden off your IT department’s back.
- Flexibility. A cloud service can expand or shrink depending on real-time changes in computing workload. For instance, if you just need a website for a few months, you can quickly set one up and shut it down later – without any hardware purchases. This flexibility also means that you will not be paying for idle infrastructure costs when demand is low (e.g. off-season). Therefore, companies with variable workloads often find cloud servers an ideal fit.
- Simple set up. Getting started with a SaaS solution like marketing automation platform or a file sharing application can be as straightforward as filling out an online form. Compare that to purchasing hardware, installing project management tools and general on-premises maintenance.
Public Cloud Security Concerns
If you are using a dedicated server, it’s up to you to take safety measures. However, if your data (or part of it) is stored in the cloud, the responsibility is shared between you and cloud provider who must ensure that their own infrastructure is secure and that their clients’ data and applications are protected. This can be a deal-breaker for tightly regulated industries with very sensitive information like health care, finance, and military contracting.
Typically, commercial cloud storage providers encode each user’s data with a unique encryption key but they keep the key themselves. It is much more convenient for providers, but also less secure: just like regular keys, if you give them to someone else, they might be stolen or misused without you even knowing. Actually, the list of internal and external cloud security threats has never been longer.
A data breach might be the primary objective of a targeted attack or simply the result of human error, application vulnerabilities, or poor security practices. It might involve any kind of information that was not intended for public release, including personal health information, financial information, personally identifiable information, trade secrets, and intellectual property. The risk of data breach is not unique to cloud computing, but it consistently ranks as a top concern for cloud customers.
In order to cut costs and maintain efficiency, cloud service providers often store multiple customers’ data on the same server. As a result, there is a chance that one user's private data can be viewed by other users – and possibly even competitors. To prevent this, cloud service providers should ensure proper data isolation but, regardless, shared memory and resources create a new attack surface.
Another potential vulnerability is the extensive use of virtualization. Virtualization changes the way software interacts with hardware by creating an additional layer – virtualization – that itself must be properly configured and secured.
A malicious insider such as a system administrator can access sensitive information that in turn enables access to critical systems and eventually to data. Businesses that are totally dependent on cloud providers for security are at greater risk. Although there are measures to counter this threat (e.g., criminal background checks), it will probably always be around.
If your data is stored in the cloud, it can disappear for reasons other than malicious attacks. For instance, it can be accidentally deleted by the cloud service provider. It can also be permanently lost during a natural catastrophe such as a fire or earthquake unless you or the provider takes measures to back it up.
Denial-of-service (DoS) attacks are designed to prevent users from being able to access their cloud data or applications. By forcing the targeted cloud service to consume immense amounts of limited system resources such as processing power or network bandwidth, attackers can cause a system slowdown and leave all users without access to services.
How About Security of Private Cloud?
Private cloud, also known as internal or enterprise cloud, is a model of cloud computing that takes place in private infrastructure (e.g., company’s intranet or a hosted data centre) for the dedicated use of a single organization.
In terms of security, a private cloud is widely suggested as a better option than a public cloud. The reason is simple: since private clouds have only one owner with access, they allow much higher levels of control over data together with some cloud benefits like scalability or running virtual machines.
However, a private cloud can be even less secure than a public cloud for several reasons:
- It’s important to realize that a private cloud uses the same, or very similar, infrastructure as a public cloud, from hardware to virtualization software. As a result, both models share many of the same security concerns. However, public cloud providers also have years of hands-on experience in ensuring the security of their infrastructure. Does your IT staff have the same level of expertise and can they keep up with all the latest types of malware and security attacks?
- Unlike public clouds, many companies with private clouds often deploy older technology and delay investing in major hardware and software updates each year. However, if your gear is only sufficient to protect against current threats, it will certainly leave you open in the event of more sophisticated attacks in the future.
Hybrid Cloud Security Issues
Hybrid cloud is probably the most sophisticated cloud computing model that uses a mix of private and public cloud services with coordination between the two platforms. Among other benefits, this model allows businesses to build an in-house IT infrastructure for daily computing workloads and use additional resources from public or private clouds when there is a spike in processing demand.
Security in a hybrid cloud is arguably more complex than in any other cloud model. When your workloads shift from the private to the public cloud, there is an inevitable transition from your internal security systems to those provided in the public cloud. During this transition, as data and apps migrate from one system to another, there is a major risk of a security “gap” that can be exploited. This is not an easy problem to solve.
The Weakest Link
Generally, any hosting model where computing resources – both hardware and software – are dedicated solely to one organization (e.g., on-premises server or a hosted private cloud) provides the highest level of security. First, data is processed and stored within your organization at all times; no third parties have access to it. Second, it is much easier to meet IT security compliance standards (again, because no third parties are involved).
Therefore, a dedicated environment is usually a safer choice for government agencies, financial institutions and other mid- to large-size organizations that require direct control over their data.
However, most security experts agree that it doesn’t matter where your data resides if you don‘t have proper security measures in place. Other things to consider:
- On-premises or not, there are very few instances left where data is not accessible from the Internet.
- Even the safest systems will fail where human error is present.
So, in the end, your data is only safe to the level of your policies and trustworthiness of your employees. That said, if you are looking for the ultimate security in SharePoint document and email management, we certainly have the products: JungleDocs and JungleMail are designed to work on top of your on-premises SharePoint as 100% internal applications. That means no external web service calls or external data storage whatsoever. Give them a try and let us know what you think!