Fallacy: The Cloud Substantially Cuts Security Costs
Because the business is always responsible for its own security, the IT team should be making the same configuration controls, collecting the same logs and installing the same network security technology that it was when the application was in its own data center.
It is true that the business may save money on a few items, like physical security and disaster recovery. But whatever savings are realized should be spent on doing a better job at network microsegmentation, change management and security information and event management analysis, and rule-writing — three areas most businesses put off and don’t invest in, until they learn an unpleasant lesson.
Fact: Putting More Applications in the Cloud Makes Security Harder
Actually, whether cloud-based applications make security harder or easier is largely up to the business, but the trend is that they make things more difficult. This difficulty comes from the lack of standardization and coordination among cloud service vendors. Each of the cloud service providers, whether Software as a Service (SaaS), IaaS or Platform as a Service, has a different viewpoint on how security should be done, and how the responsibility should be shared. And businesses have to deal with them all.
A business with a very small number of vendors only has to reconcile a small number of viewpoints and security strategies in its own security roll-up. But when it starts notching up a long list of vendors that are all cloud service providers, then it is making life complicated for its IT security team.
That might come with a good rationale — such as wanting to have some leverage in contract negotiations or wanting to cherry-pick among services offered to get the best price possible. But there is a cost in overall security complexity. It’s a balancing act, but network managers know that there are higher marginal costs with adding a new service provider compared to simply adding more applications or services with the same provider. That may not be enough of an argument to sway the C-suite, but it’s the job of tech leadership to point out these facts as input for the decision-making process.