It isn’t.

Crickets.

OK, it can be but you have to be very detail oriented. A lot of the defaults you deal with when you set up your application in the cloud are decidedly insecure. The issue is whether your org is up to paying for in money and complication all of the things to make it secure. I hate to say it, but a lot aren’t. A lot were sold a bag of goods (I had a senior person tell me AWS has ‘thousands of PhDs watching our stuff’ [they don’t]) that didn’t quite match reality. I have seen cloud resources get locked by malware and data siphoned off that literally never happened when they were on premise. We were, just last week, taken down by an attack because no one thought to turn on the AWS WAF.

So the nuance is it can be, but if you go into it with an attitude of “*PHEW*, we don’t have to deal with all that pesky on prem firewall stuff anymore because the cloud has thousands of PhDs watching my network…” I promise you it will be open season on you.

“Safe” is not binary. It’s a scale.

When you put things in the cloud, there are now some attack possibilities that didn’t exist before (trusting people at your cloud provider is one0.

However, you also get some new defense possibilities that didn’t exist before. One example is that in the past, many companies couldn’t afford to, or didn’t bother to update software and hardware when vulnerabilities are discovered. In the cloud, that is often handled for you, by specialists.

This question feels rhetorical, but let’s talk about actual answers. How do engineers secure your data that is hosted in the cloud? Before we start, it’s important not to think in absolutes. Nothing is 100% secure. Your computer is not 100% secure. Your home is not 100% secure. A prison is not 100% secure. Think in terms of “reasonable” security measures, which accept that there will periodically be intrusions.

I think a good analogy is to look at how banks keep cash safe. And yes, I know that banks handle much less cash than they used to, but it’s a useful analogy.

Banks approach the security of cash handling through three main areas:

1. Security in transit
2. Security at rest
3. Security in handling

For **security in transit**, banks use armored cars with armed guards. In the cloud, we use transport layer encryption. When you visit a website and you see “https” in the URL or a lock in your address bar, that means the site is using transport layer encryption. This makes it impossible for anyone to intercept that traffic and read the contents. Periodically, there are attacks on this transport layer encryption that put this at risk, but that’s the nature of security. There are successful bank truck robberies as well, but we still consider that process secure.

Banks implement **security at rest** by putting the cash in a safe. Safes are difficult to break into, so attackers are deterred from trying. They still sometimes get in, but a strong safe is considered reasonably secure. In the cloud, we put firewalls in front of our servers and databases to keep intruders off of our secure networks. This is the first line of defense against attacks, but even if an attacker gets through, we have additional measures we can use. We can also encrypt the data that resides in a database. That way, even if the attacker manages to break into our database, sensitive data is useless without the encryption keys that reside in another location.

**Security in handling** has to do with the people who must handle cash in order for the bank to operate on a day-to-day basis. This involves things like limiting who has access to cash, and in what amounts. Limiting who has keys to secure areas. And screening employees for criminal records. Cloud operators do a lot of these same things. We put access controls on infrastructure to restrict access to only those people who need it. Only a small group of high-level administrators have the ability to grant or deny access to sensitive resources. We also perform background checks on employees to ensure that we’re not hiring someone with a history of theft or fraud. We also look for things that might compromise an individual, like legal disputes or public affiliation with known criminals.

replace all instances of “the cloud” phrase with “A random strangers computer”.

So a random computer in a location you don’t know with a security policy you don’t know and can’t influence. Who probably won’t tell you when they are hacked if they even notice themselves.

I hope that makes things clearer now you understand what “the cloud” actually is.

Safe from what?

From unexpected loss? If your data is stored on one of your local drives, then that drive could fail at any time, resulting in the permanent loss of that data. You certainly could set up local backups or a RAID array or something to mitigate that risk. But then it’s on you to keep all of that up to date and working right and restore if something does go wrong. In the cloud, you are letting somebody else who is much better at it take responsibility for keeping backups working right so your data is never inaccessible.

From being copied by hackers? Well it’s a trade-off. Your personal computer isn’t perfectly safe from hackers either – there’s plenty of malware out there meant to copy, encrypt, or steal local files. You’re probably not a very attractive target for that sort of attention though. Cloud providers are probably much more skilled than you at keeping hackers out, what with employing departments full of professional security experts, but they’re also a big juicy target. Other trade-offs include that your data probably isn’t the most interesting thing to some hacker on any particular cloud storage provider.

And what if you want to share the data with only one or a few particular people? If you email it or something, then it’s also on a cloud provider’s servers, and easy to accidentally or intentionally forward beyond what you wanted. Most proper cloud storage systems make it easier to share only with one or a few particular people. Or you could also physically hand them hardware USB drives or something, but that’s less convenient.

So there’s a lot of considerations and trade-offs depending on exactly how skilled you are and what is most important to you, but it’s not at all clear cut whether cloud storage is more or less safe than storing files locally.

I won’t be able to explain like you’re 5, because we’re deep into technical stuff. I’ll keep it brief.

Cloud Providers have figured out the best practices and make it easy to have them on by default. The front doors that hackers have to get through have been hardened due to relentless attacks from ever smarter hackers. Even when you get in the systems have checks and protections against accessing neighboring data. The data is encrypted at rest and the key is further encrypted and protected behind layers of checks. Even employees at those companies have more and more restrictions before they can even access the garbleled up encrypted data without the key needed to make sense of it all.

You, on the other hand, are indeed a smaller target, but you’ve got a very vulnerable computer with complete unrestricted access to the unencrypted data. A hacker can deploy a 0-day hack and lock your data out and ask for $5k of bitcoin so they’ll unlock it. The only way to protect yourself from online attacks on your PC is to never have your data online. Hard, but doable, however mostly useless as we move more of what we do online.

What is dangerous is a smaller company being overconfident that they can protect against hackers by their lonesome. Cloud Providers are really the only realistic option outside of only having your data on a computer that is never online and data you copy with a thumbdrive has extraordinary anti-virus checking on it before plugging it into your offline computer.

It’s not. Any data put into someone else’s cloud is available for them to look at.

Example: [https://nypost.com/2022/08/22/google-bans-dad-for-sending-pics-of-toddlers-swollen-genitals-to-doctor/](https://nypost.com/2022/08/22/google-bans-dad-for-sending-pics-of-toddlers-swollen-genitals-to-doctor/)

In this case, Google reported a father to law enforcement after he sent a picture of his son’s genitals to his doctor and the picture got backed up to Google’s cloud

nothing can be 100% secure, ever technically. Even servers you physically have on your own premises can be insecure

However it’s certainly possible to get secure enough that it can’t be accessed with current technology /knowledge

The cloud is is a server (or bunch of servers) that is hosted in a data centre. The data centre takes care of the physical security and hardware maintenance side of things

You can own your own servers on there or rent hardware through AWS / Azure / Oracle which you can for only what you need

Now the actual system you maintain so it’s as secure or insecure as you make it. They may have services you can consult with to assist you in securing it

If you are referring to the cloud as something like icloud, that is pretty secure and has not been hacked (as far as I know) but far more likely people have been phished and their username & password has been stolen. This doesn’t mean the cloud service is insecure

I do this (cloud security) for a living. Here’s the simple reality:

The Internet isn’t safe. That’s sorta the end of the discussion if you’re looking for absolutes.

But is the cloud *SAFER* than your chosen alternative? Possibly. Maybe even probably. Depending on your provider.

There’s a lot of stuff that has to be done right, and if you’re standing up an on-prem hosting environment, you’re probably not going to do them. It’s too expensive, especially over time. And what are the chances that you’ll *actually* get popped for skipping them? But big-ol’ cloud providers HAVE TO do all the basic things right because they’ve got multi-billion-dollar contracts that require a baseline level of safety that is well beyond the budget of most medium size companies to provide.

So, depending on the cloud provider you’re working with, you may be implicitly taking advantage of protections you didn’t even know we’re important. You may even see some of them as annoyances, who knows.

But ultimately, you’re the one making the security decisions for your use case, so there’s ample opportunity to botch it. The internet isn’t a safe place.

It’s neither more secure, nor less secure than anything else. It depends.

Instead of investing in your own, you use someone elses infrastructure or software to process your data.

Depending on which party you use to do this, it is more secure or less secure.You need to asses that your cloud service provider is more experienced/has more knowledge than you to do this safely. (Or is adequate for your needs)

What most people don’t realize is that very often you only outsource *processing* of your data, you are still responsible for the data itself and you need to ensure processing matches the (legal) requirements of the data: Ex: Check if there is security in place, do monitoring, create backups, …Offcourse, if legally allowed, you can outsource this too, but it is often not standard part of a cloud service/subscription.