These aren’t just transient issues to be ignored once 2023 rolls around—they guide the development of cloud security and technology, and will continue to do so for the foreseeable future.
We are often asked if the cloud is more secure than on-premises infrastructure. The quick answer is that, in general, it is. The more complete answer is more nuanced.
An on-prem environment can, with a lot of effort, have the same default level of security as a reputable cloud provider’s infrastructure. Conversely, a weak cloud configuration can give rise to many security issues. But in general, the base security of the cloud coupled with a suitably protected customer configuration is stronger than most on-prem environments.
This grows more true as clouds mature. For example, as a fundamentally more secure architecture, Google Cloud has security built in because it adheres to zero-trust principles—the idea that every network, device, person, and service is untrusted until it proves itself. The multiple, layered defenses of defense in depth is another core value that increasingly offers more levels of protection from configuration errors and from attacks.
At Google Cloud, we prioritize security by design and have highly capable security engineers. Additionally, we also take advantage of industry “megatrends” that increase cloud security further, outpacing the security of on-prem infrastructure.
These eight megatrends actually compound the security advantages of the cloud compared with on-prem environments (or at least those that are not part of a distributed or trusted partner cloud). IT-decision makers should pay close attention to these megatrends because they’re not just transient issues to be ignored once 2023 rolls around—they guide the development of cloud security and technology, and will continue to do so for the foreseeable future.
Tune in: Prefer to listen? Hear Google Cloud’s Chief Information Security Officer VP Phil Venables discuss changes in 2022 and beyond in cloud security on the Cloud Security Podcast.
8 Industry megatrends that increase cloud security further
1. Economy of scale: Decreasing the marginal cost of security raises the baseline level of security. Public clouds are of sufficient scale to implement levels of security and resilience that few organizations have previously constructed. Google Cloud builds and operates a global network, we build our own systems, networks, storage, and software stacks. We equip this with a level of default security never seen before, from our Titan security chips that assure a secure boot; our pervasive data-in-transit and data-at-rest encryption; and make available our confidential computing nodes that encrypt data even while it’s in use.
We can also support specific, custom configurations with enhanced security features because the per-unit cost has decreased. Meanwhile, as more organizations move to the cloud, on-prem relative unit costs are going up, making cloud the epitome of raising baseline security in part by reducing the cost of control. The measurable level of security can’t help but increase.
2. Shared fate: A flywheel of increasing trust drives more transition to the cloud, which compels even higher security and even more skin-in-the-game from the cloud provider. Some cloud providers talk about “shared responsibility” but we take a broader view and follow a model that is much more about creating a mutually beneficial shared fate. We’re in this together. We know that if our customers are not secure then we’re collectively not successful.
This is why our security mission is a triad of Secure the Cloud (not only Google Cloud), Secure the Customer (shared fate) and Secure the Planet (and beyond).
We view shared fate as a philosophy of deeply caring about customer security, which gives rise over time to elements like secure-by-default configurations, secure blueprints, secure policy hierarchies, and consistent availability of advanced security features. We provide high-assurance attestation of controls through compliance certifications, audit content, regulatory compliance support, and configuration transparency for ratings and insurance coverage such as our Risk Protection Program.
We’re in this together. We know that if our customers are not secure then we’re collectively not successful.
3. Healthy competition: The race by deep-pocketed cloud providers to create and implement leading security technologies is the tip of the spear of innovation. The pace and extent of security feature enhancement to products is accelerating across the cloud industry. This massive, global-scale competition to keep increasing security in tandem with agility and productivity is a benefit to all.
Related: Explore the Google Cloud security best practices center
4. Cloud as the digital immune system: Every security update the cloud gives you is informed by some threat, vulnerability, or new attack technique often identified by someone else’s experience. Enterprise IT leaders use this accelerating feedback loop to get better protection, like tapping into a global digital immune system. At Google, this feedback comes from multiple sources including our own globally-recognized security teams such as Project Zero, our Threat Analysis Group, and our Google Cybersecurity Action Team.
5. Software-defined infrastructure: Cloud is software defined, so it can be dynamically configured without customers having to manage hardware placement or cope with administrative toil. From a security standpoint, that means specifying your security policies as code, and continuously monitoring their effectiveness. The more you do it, the more you have a global knowledge base of best practices.
Software-defined infrastructure enables an approach of “controls and policy as code” where policy conformance can be explicitly defined and implemented such that you have significantly higher assurance that your environment is secured the way you expect.
Additionally, a software-defined infrastructure is a force multiplier for applying zero-trust controls like BeyondCorp and BeyondProd to secure user access and applications as well as to provide a platform for secure software supply chain management using the SLSA framework.
Related: The cloud trust paradox: To trust cloud computing more, you need the ability to trust it less
6. Increasing deployment velocity: Because of cloud’s vast scale, providers have had to automate software deployments and updates, usually with automated continuous integration/continuous deployment (CI/CD) systems. That same automation delivers security enhancements, resulting in more frequent security updates.
7. Simplicity: A common concern about moving to the cloud is that it’s too complex. But even today’s feature-rich cloud offerings are much simpler than prior on-prem environments—which are far less robust. Cloud is only going to get simpler because the market rewards cloud providers for abstraction and autonomic operations.
In other words, the cloud is an abstraction-generating machine for identifying, creating, and deploying simpler default modes of operating securely and autonomically.
8. Sovereignty meets sustainability: The cloud’s global scale and ability to operate in localized and distributed ways creates three pillars of sovereignty, which will be increasingly important in all jurisdictions and sectors.
The global distribution of many cloud providers means that cloud can more easily meet national or regional deployment needs. Similarly, workloads can be more easily deployed to regions with better energy profiles. That, coupled with cloud’s inherent efficiency due to higher resource utilization, means cloud is more sustainable overall.
Distribution also provides a means for organizations (and groups of organizations that make up a sector or national critical infrastructure) to manage concentration risks. They can do this either by relying on the increased regional and zonal isolation mechanisms in the cloud, or through improved means of configuring resilient multicloud services. This is also why the commitment to open source and open standards is so important.
The bottom line is that cloud computing megatrends will propel your security forward faster, for less cost and less effort than any other security initiative you may undertake this year. With the help of these megatrends, the advantage of cloud security over on-prem is inevitable.
Read more about these trends in-depth, or learn how Google Cloud can help keep your organization secure and compliant.