Is the cloud more secure than on-premise infrastructure? A very common question and something Phil Venables the VP/CISO of Google Cloud in short says yes to. The complete answer is more nuanced and grounded in 8 “megatrends” that drives technological innovation and that improves the overall security posture of both cloud providers and customers.

As the blogpost linked to above says - in general the base security of the cloud coupled with a suitably protected customer configuration is stronger than most on-prem environments. My opinion is that it’s hard to disagree with this. Sure you could have the same default level of security in your on-prem environment with a lot of effort, and you could of course get a lot of security issues with weak configuration in the cloud. But overall, given the drive for innovation and the race for providing even more secure services than the competition - I must agree that the baseline of security keeps improving and by default this gives you a better security posture in the cloud compared to an on-premises environment.

At a high level, the 8 megatrends presented by Google Cloud are: 8 megatrends that drive cloud adoption

You can read into depth about these megatrends in the blogpost, so I’m not going into detail on each of them here. In general all of these “megatrends” aren’t exactly new when it comes to why cloud security keeps getting better. That the drive for better security in the cloud drives adoption is also evident. “The HashiCorp State of Cloud Strategy Survey” says “Security concerns” is the second highest inhibitor to an enterprises cloud program with 47% of the respondents naming this as an issue - only beaten by “Cost concerns” (with 51%). Given the fact that security concerns are one of the main blockers of cloud adoption, a drive for improving the security baseline and lessen the complexity of security controls indeed should drive cloud adoption.

One of the more “controversial” megatrends is the concept of a “shared fate”. Now, this is coming from Google Cloud which has a Risk Protection Program. They are moving beyond shared responsibility in that they provide guidance and security blueprints to optimize security, provides tools to help manage ongoing security and compliance - in which leads the customers to be able to transfer some of their risk by undersigning cyber insurance (with partnering with insurance providers). I’m not sure that all this actually means shared fate. But I do believe that the cloud providers benefits from helping their customers with guidance and security blueprints since this reduces the chances of security breaches. All security breaches in the cloud reflects badly on the providers, I think we can agree to this. But are all cloud providers willing to really go beyond the shared responsibility model? And is this really feasable given the scale of the cloud?