TDWI Upside - Where Data Means Business

Cybercrime and Cybersecurity: The Best Defense is in the Cloud

The best place for managing the security of traditional enterprise applications is where the best resources are: at the cloud service provider.

The motivations for moving enterprise applications such as ERP and CRM to the cloud have historically been ease of deployment, access to elastic resources, and the ability to shift IT spending from a capital expense to an operational expense. Although these motivations were sufficient to create a nascent but highly successful cloud market in the last decade, many companies chose to sit on the sidelines of the cloud revolution because of the perceived lack of security and safety.

This made a lot of sense -- many cloud pioneers built great cloud apps but initially skimped on the security, redundancy, and failover that characterize enterprise-grade data center operations. CIOs and other IT execs worried that mission-critical data wouldn't be safe or secure in these start-up operations, and in many cases they were right.

Today's Cybercrime Brings New Dangers

However, the majority are on the sidelines no longer. Study after study has shown a massive shift towards the cloud in the last two years, with more cloud adherents on the way. Ironically, those security concerns that kept IT grounded on terra firma have been swept away because today's security concerns provide compelling reasons for going to the cloud: the weekly headlines about cybersecurity breaches at companies and government agencies around the world.

These headlines -- replete with victims culled from companies and government entities large and small -- have exposed the essential truth about cybercrime: the quantity and quality of cyberattacks is increasing faster than most enterprise security budgets, often by orders of magnitude. The result, so the common wisdom goes, is that when it comes to cybersecurity, there are only two kinds of companies: those that have been hacked and those that are about to be hacked.

This global hack-fest has exposed the soft underbelly of cybersecurity in company after company: most lack the right processes, the right technology, or the right people to combat this growing threat.

Cloud Providers Have the Resources for Cost-Effective Security

Fixing that triple threat is where the shift to the cloud comes in.

The thinking goes like this: because it's cost-prohibitive for most companies to meet the cybersecurity threat head-on, letting a cloud vendor take responsibility for the problem makes a lot of sense. Cloud vendors have the incentive, they have the financial resources, they can attract the best talent, and their ability to leverage these resources across multiple customers makes delivering cybersecurity to hundreds or thousands of customers extremely cost-effective.

The major cloud vendors' annual budget for cybersecurity is orders of magnitude more than individual enterprises can spend. Microsoft reported last year that it invested more than $1 billion in cybersecurity, much of it directed at its Azure cloud platform and related products.

Contrast that number with MasterCard's announcement of a $20 million investment in cybersecurity last year, an announcement that garnered headlines for the relative size of the investment from a single company. Even accounting for the fact that Microsoft generates eight times the annual revenue of MasterCard, the difference between the two is still astronomical.

The spending power of Microsoft, Amazon, Google, IBM, and the like isn't the only reason to defer cybersecurity to a top-tier cloud vendor. Hiring and retaining top-notch security personnel is becoming prohibitively expensive, whether a company is located in Silicon Valley, Cedar Rapids, or Seattle. Top-notch experts are scarce outside the tech centers of the country, and even in places such as Silicon Valley, where the experts tend to be in greater supply, the best and the brightest are often working for start-ups or established tech vendors that can offer stock and other incentives most non-tech companies can't.

This combination of resources available to the cloud vendors allows them to stay ahead of a rapidly changing cybersecurity threat that has morphed from being the domain of pranksters, lone wolves, and opportunists trying to steal and resell credit card and other personal information to state-sponsored hacking for political gain and sophisticated industrial espionage targeting valuable intellectual property. There's no small amount of comfort to be had in letting cloud vendors that can spend hundreds of millions of dollars tackle this increasingly scary and ubiquitous world of cybercrime.

The cloud isn't a panacea by any means -- rogue or poorly trained employees are still a major weak link in any cybersecurity regime -- but it's clear that handing off the responsibility of managing the security for traditional back office functionality is the best way to go for most companies.

The big cloud companies will one day be hacked, too (as targets, they're just too big and too irresistible), but there's little doubt they are better able to command the budgets and resources needed to fight these issues than any small or midsize company, and most large enterprises as well. In the never-ending, cat-and-mouse game of hackers versus the rest of the world, no company can afford to go it alone any more.

About the Author

Joshua Greenbaum is a principal at Enterprise Applications Consulting. He will be speaking at the IEEE Computer Society’s Rock Stars of Cybersecurity symposium in Seattle on Sept. 13, 2016.


TDWI Membership

Accelerate Your Projects,
and Your Career

TDWI Members have access to exclusive research reports, publications, communities and training.

Individual, Student, & Team memberships available.