The Security of Cloud Services and SaaS

Daniel Ayala will be posting articles about information security, privacy and compliance in our blog. Throughout his 25 year career, he has led security and privacy organisations in banking and financial services, pharmaceutical, information, higher education, research and library organisations around the world, and both writes and speaks regularly on the topics of security, privacy, data ethics, and compliance. He also happens to be LabArchives Chief Information Security Officer!

Part 1: The Value of Scale and Scope

Greetings LabArchives Reader,

A question was posed to me, “a few years ago, there was a pretty powerful feeling that cloud applications were not as secure as on-premise based applications. Has that changed?”

There has long been a belief that cloud-based applications are not as secure as on-premise based applications. While this may once have been true, the maturity of the space warrants a re-look at this topic. Since all three LabArchives products Electronic Lab Notebook (ELN), Inventory and Scheduler are based in the cloud, I thought it beneficial to cover some of the ways that cloud security not only remains secure in 2021 but in many ways has benefits that are more difficult for on-premise implementations to achieve.

Security Disclaimer

I wouldn’t be a responsible information security professional without setting expectations and putting some disclaimers out there. First, there is no such thing as “perfect security.” The keys to success are taking the steps possible to secure an application in a way that balances the need to use a system with the mandate to protect the information within it. The security of both on-premise and cloud-based services is nothing without good practices, including security by design in development, testing, operations, and response.

Value Proposition & Challenges

Performance and data protection are both critical when using a system. The use of geographically dispersed cloud services moves the hosting closer to users’ hubs to improve the user experience and reduce latency. It also ensures users can store and access data within a particular country or set of countries as required by data-protection laws or grant requirements. Cloud services bring broad, reliable availability to shape their use to efficiently meet data residency requirements without having to build and staff new facilities.

For a long time, a key to securing a system was direct control over it. That included being in a data centre that could be visited, having a second physical machine act as failover and having robust, redundant connections between the two devices. Suppose something went wrong with the device or the software on it. In that case, an administrator could walk downstairs (or call a person at the data centre) to physically act on the box, be it reboot, pull a hard drive or replace the machine itself.

Organisations have also invested large sums in data centres located on or near their campuses. These are often owned or dedicated properties, and the financial stake in these facilities is a sunk cost that encourages those organisations to want to fill and use these facilities whenever possible. They often feature high investment in redundant power, enhanced network connectivity from multiple sources to increase availability, specialized HVAC, plumbing and physical / cyber security. In some cases, the organisation has various physical data centres located apart from each other for additional reliability in case of disaster.

However, in some cases, these data centres’ geographic diversity may only be a few miles from each other, on or near the campus itself. The lack of broader distance between them means that if a physical disruption were to occur, then it is likely that both locations would be affected and take out the capability of all systems in the data centres. What would happen if a meteor crashed into the area at 3:00AM and rendered all nearby data centres inoperable? Most research and education organisations have global reach and aggressive availability requirements.

A cloud service or software as a service (SaaS) offering is usually designed and implemented in multiple existing cloud data centres, often on opposite ends of the country or continent, without the need for building, occupying, and filling new, distinct data centres. It’s easy to add additional presence with a click of a button, and if there’s an issue in one location, the packets can be picked up by another.

This is part one of three in a series on the security of cloud and on-premise software. In our next installment I’ll cover the benefits and challenges of technically securing and monitoring both on-premise and cloud technology implementations.