Is the Public Cloud Secure Enough? Six Megatrends that Put This Debate to Rest
By Mark Johnston, Head of Security, APAC, Google Cloud
Southeast Asia’s digital economy was estimated to be worth US$174 billion in 2021 and is on track to hit US$363 billion by 2025, according to the latest eConomy study by Google, Temasek, and Bain & Company. Much of this growth has been driven by businesses shifting from on-premise infrastructure (i.e., purchasing and maintaining their own IT servers and other hardware) to the public cloud.
The business benefits of this shift are clear: increased productivity, enhanced customer experiences, decreased capital expenditure, and reduced time-to-market for new products and services.
Security is, however, another key cloud adoption consideration, especially with Southeast Asia reporting a 600 percent rise in cybercrime. Security’s paramount importance in the digital economy is underscored by the National Cyber Security Agency of Thailand and the Cyber Security Agency of Singapore recently announcing new initiatives and policy reviews to enhance nationwide cyber resilience.
They won’t be the last government agencies in the region to do so. As the public cloud becomes a driver of digital and economic transformation, this raises the question: can it be more secure than on-premise infrastructure?
The answer? Yes, but only if organizations keep pace with six megatrends that compound the cloud’s inherent security advantages.
Trend #1: Economies of scale democratize access to advanced cloud security
Public clouds operate at sufficient scale to implement higher levels of security that few organizations can afford to fully construct on their own. Titan security chips in servers and confidential computing nodes, for instance, deliver an unprecedented level of malware resistance and end-to-end data encryption, but their per unit cost is by no means trivial. Delivering this advanced level of security by default is cost-efficient for cloud providers like Google Cloud, given the economies of scale and lower per unit cost of deploying these chips and nodes everywhere across planet-scale infrastructure.
Ninja Van, a fast-growing logistics unicorn with operations in Singapore, Malaysia, Indonesia, Thailand, Vietnam, and the Philippines, is an example of a cloud-first organization that’s benefitting from advanced encryption capabilities that are designed by default into Google Cloud’s infrastructure. Ninja Van can therefore invest incrementally in custom configurations or enhanced security features to reinforce its existing zero-trust security model.
The cloud has become the strategic epitome of raising baseline security standards by reducing the cost of deployment – in a way that on-premise infrastructure cannot match.
Trend #2: More skin-in-the-game with a “shared fate” model
Getting security right can be challenging, and organizations with on-premise infrastructure are fully responsible for building effective security programs on their own. On the other hand, cloud computing has always been underpinned by “shared responsibility”: cloud providers are responsible for securing underlying infrastructure (security of the cloud), while the customer is responsible for secure configuration, data protection and access permissions (security in the cloud).
But as a flywheel of increasing trust drives more businesses to transition to the cloud, cloud providers are compelled to have more skin-in-the-game. This ensures that players like Google Cloud go further to create a mutually dependent shared fate model: “if our customers are not secure, then we’re collectively not successful.”
The result of this is Google Cloud’s full commitment to organizations’ security, as seen in secure-by-default configurations, secure blueprints and policy hierarchies, as well as control assurances in the form of compliance certifications, content audits, regulatory compliance support, configuration transparency for ratings, and Risk Protection Program insurance coverage with Allianz and Munich Re.
To adhere to strict data protection and privacy requirements when rolling out its digital household travel survey to understand commuters’ transportation patterns and gather insights for future planning, Singapore’s Land Transport Authority (LTA) worked with Google Cloud to implement the necessary security measures and control assurances. This includes the agency applying cloud-native identity and access management so only authorized staff can access digital household travel survey data, with a built-in audit trail to track all access activity. LTA also leveraged cloud network security to protect its website from common vulnerabilities.
Trend #3: Healthy competition in cloud security
The pace and extent of security feature enhancements are accelerating as global public cloud providers compete to create and implement next-generation security technologies. This not only progressively increases cloud security norms in tandem with business agility and productivity, it outperforms what’s possible with on-premise infrastructure.
Having observed that 86 percent of compromised servers were used to perform cost-intensive cryptocurrency mining, Google Cloud acted quickly to design a first-to-market detection capability for organizations to protect themselves against cryptocurrency mining, as well as data exfiltration and ransomware. The continuous commitment toward enhancing cloud security capabilities also underpin Google’s recent acquisition of Siemplify.
Cloud will always lead on-premise environments that have less of a competitive impetus to provide progressively better security. On-premise may never go away completely, but cloud competition drives security innovation in a way that on-premise hasn’t and won’t.
Trend #4: Cloud as the digital immune system
Public cloud providers continuously deliver hundreds of updates, with every security update informed by requests, threats, vulnerabilities, or new attack techniques – whether it’s the growing abuse of servers to generate traffic to YouTube for view count manipulation or state-sponsored cyber-attackers posing as talent recruiters in targeted spear-phishing campaigns.
Google Cloud’s dedicated engineering teams embrace vulnerability discovery by crowdsourcing and attracting the world’s best security researchers. They then distill the best innovations and practices from tens of thousands of organizations, before abstracting and autonomically assimilating them for all.
As a result, security improvements are not just specific countermeasures, but enhancements that defeat whole classes of attacks.
Google Safe Browsing, for instance, currently protects more than four billion devices and their users’ personal information from potential malware and phishing scams. If you’re a company that doesn’t have a large security team or this level of resources, then an optimal strategy is to embrace the security feature updates that the cloud provides to protect networks, systems and data. It’s like tapping into a global digital immune system.
Trend #5: Software-defined infrastructure automating security and compliance controls
Another advantage of the cloud over on-premise is its software-defined infrastructure, which can be dynamically configured without companies having to manage hardware or cope with administrative toil.
From a security standpoint, this means that organizations can explicitly define and implement their security or compliance policies as code, and centrally monitor their effectiveness over time.
Compliance policies as code, for instance, can be summarized as an organization’s ability to automate the verification, remediation, monitoring and reporting of compliance or non-compliance. For a digital organization to thrive, it is critical to enforce controls like where it’s acceptable to store specific types of data or which specific users can access that data – and ensuring these are followed at scale.
Bank Rakyat Indonesia, for example, became the first bank in ASEAN to be certified as ISO 27001 – or information security – compliant.
Today, it continues to leverage Google Cloud’s software-defined infrastructure to ensure compliance at scale, as it connects its systems to an ecosystem of more than 70 third-party fintech partners to offer banking services that reach underserved consumer segments.
Additionally, a software-defined infrastructure is a force multiplier for applying zero-trust controls like BeyondCorp and BeyondProd to secure user access and applications, as well as to provide a platform for secure software supply chain management using the SLSA framework.
Trend #6: The growing velocity of software deployment
Lastly, cloud providers automate software deployments and updates with continuous integration / continuous deployment (CI / CD) systems.
This frequently delivers security enhancements and updates supported by consistent product versions everywhere, thereby achieving reliability at scale while permitting rapid roll-back if needed. This enables organizations to innovate even quicker, with less risk.
Going back to Ninja Van, which releases hundreds of new software features daily – from a chatbot that enhances customer experiences to algorithms for fuel-saving route optimization. The ability to leverage the cloud’s automated software deployment capabilities – including patch management – not only helps the tech-enabled company stay ahead of potential vulnerabilities, it ensures that Ninja Van’s technology teams can avoid engaging in manual backend configurations to stay laser-focused on innovation.
Propelling security forward, with greater speed and less cost and effort
These six megatrends reinforce the public cloud’s security advantages over on-premise infrastructure. Forward looking companies with a cloud-first approach, including those in regulated industries, are already tapping enterprise-grade economies of scale, leveraging next-generation security innovation, developing digital immunity, and benefitting from automated control configurations and deployment velocity – all at a lower cost and with less effort than before.