This question feels rhetorical, but let’s talk about actual answers. How do engineers secure your data that is hosted in the cloud? Before we start, it’s important not to think in absolutes. Nothing is 100% secure. Your computer is not 100% secure. Your home is not 100% secure. A prison is not 100% secure. Think in terms of “reasonable” security measures, which accept that there will periodically be intrusions.

I think a good analogy is to look at how banks keep cash safe. And yes, I know that banks handle much less cash than they used to, but it’s a useful analogy.

Banks approach the security of cash handling through three main areas:

1. Security in transit
2. Security at rest
3. Security in handling

For **security in transit**, banks use armored cars with armed guards. In the cloud, we use transport layer encryption. When you visit a website and you see “https” in the URL or a lock in your address bar, that means the site is using transport layer encryption. This makes it impossible for anyone to intercept that traffic and read the contents. Periodically, there are attacks on this transport layer encryption that put this at risk, but that’s the nature of security. There are successful bank truck robberies as well, but we still consider that process secure.

Banks implement **security at rest** by putting the cash in a safe. Safes are difficult to break into, so attackers are deterred from trying. They still sometimes get in, but a strong safe is considered reasonably secure. In the cloud, we put firewalls in front of our servers and databases to keep intruders off of our secure networks. This is the first line of defense against attacks, but even if an attacker gets through, we have additional measures we can use. We can also encrypt the data that resides in a database. That way, even if the attacker manages to break into our database, sensitive data is useless without the encryption keys that reside in another location.

**Security in handling** has to do with the people who must handle cash in order for the bank to operate on a day-to-day basis. This involves things like limiting who has access to cash, and in what amounts. Limiting who has keys to secure areas. And screening employees for criminal records. Cloud operators do a lot of these same things. We put access controls on infrastructure to restrict access to only those people who need it. Only a small group of high-level administrators have the ability to grant or deny access to sensitive resources. We also perform background checks on employees to ensure that we’re not hiring someone with a history of theft or fraud. We also look for things that might compromise an individual, like legal disputes or public affiliation with known criminals.