Blog post

Psychoanalyzing Security Cloud Fears

By Anton Chuvakin | March 20, 2019 | 4 Comments


Here is a funny one: why so many security professionals (and leaders) still hate the cloud?

OK, OK, I get it, many of you want to respond to this with a WHAT YEAR IS THIS? meme right away, but let me finish…

To set the context for this, I am not talking about business use of cloud, but cloud use by security tools. In essence, this is about SECURITY FROM THE CLOUD, not security for the cloud.

Now, admittedly, the times have changed. SaaS SIEM is finally here and recent advances all look likely to make this model more popular. In some segments, like say vulnerability management, all relevant vendors have switched to cloud backends or, at least, will deliver new features to their cloud-delivered tools only. SaaS delivery became a default for SWG and SEG. Appliance-based CASB (yes, that really existed, this is not a joke!) has long died. Cloud backends and other forms of cloud-delivered management came to EPP, firewalls, etc (“By 2025, cloud-delivered integrated EDR and EPP solutions will grow from 20% of new deals to 95%.” is from this paper)

In fact, our inquiry streams have seen plenty of “cloud first” [for security] and even an occasional “cloud only”, a new form of a cloud-lover. Clients with no datacenter presence and hence with no chance (or desire) for on-premise security tools are here to stay – and grow.

However, cloud-haters still abound. Who are they? Why are they hating? What will happen to them?

Some examples I’ve encountered are:

  • Geopolitical: there is some hating that is not focused on the cloud itself, but on a cloud hosted in (data residence) or run by (data sovereignty) a vendor from a particular country. Some don’t want US-run cloud EDR. A few perhaps will mistrust a Russian-made cloud-managed EPP. Some may doubt a Chinese cloud backended SIEM.
  • Legal/compliance: sometimes real, but often imagined, claims that some compliance mandate prevents security cloud use have been on the decline, but I hear that GDPR gave them a new lease on life (cloud UEBA anybody? Nope, not if the vendor cannot vouch for personal data in scope for this mandate)
  • Third-party trust: there is definitely hating focused on “others” or “aliens” (i.e. not us) running security capabilities and, especially, 3rd party personnel touching or even having a theoretical ability to touch my security data. My suspicious is that this is on the decline, but can be seen sometimes [how these people can trust their OS vendor or an outsourcer, I have no idea…]
  • NIH’ers: some dislike cloud-delivered security simply because they think they can do it better, following the “not invented here” logic. Frankly, few can – but a few actually can. Are you one of the latter few?
  • Comfort/past: some hate it simply because they have hated it before, and know no different. Appliance past is comforting to some network security pros, it really is. After all, lugging those 4U boxes around made you fit…
  • Edge cases: there is more legitimate dislike of cloud delivery if your IT is somehow peculiar (often disconnected, on low bandwidth links, located in space, under water, inside a secret volcano lair, etc) and cloud simply isn’t there for you.
  • Bad security at some SaaS security vendors: the details here are self-censored 🙂
  • Irrational fears: this is my last bucket where I pile all the rest of the cloud hating, that is hard to categorize.

Any others you see?

Finally, what can break the backbone of most cloud-hating? In my opinion, there is one thing: SaaS/cloud – based tool effectiveness.

But not just increased effectiveness, but increased dramatically! Here is a hypothetical example: will you use a non-SaaS SIEM if a SaaS one is so smart that it detects threats 3X better and 5X faster (arbitrarily defined), while being 2X cheaper and 100X easier to manage? Can you justify a local EDR install, if an EDR with a cloud brain will detect 10X more threats without any effort on your behalf?

Thus, I think most if not all of the above arguments will crumble, if the cloud-delivered security capabilities will prove not just easier to manage (they are that today), but dramatically more effective. Note that IMHO for this to work, they have to be dramatically better and not just better or cheaper…

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Having spent the past six years quelling this fear in others for both SIEM and endpoint security, I am pleased by the signs that the remaining anti-cloud zealots primarily fit into your “irrational fears” bucket. I met an otherwise rational security professional in Dublin who refused to ever trust AWS simply because he hadn’t seen any breach notifications for them. His read was that this meant they were hiding thousands of breaches.

  • Ichinin says:

    Let me see some things that just jumps forward:

    1. Security classification – requiring specific protection mechanisms that no cloud vendor can deliver because commercial security has lightyears to go.

    2. Poor SLA. Availability suffers and you cannot do anything about it – or even do any work, until your provider has fixed the problem. Few options to upgrade – unless you move to another vendor at a much higher premium, and you start to wonder, “why are we in the cloud again? Save money was it?”

    3. Being cohosted with potentially problematic neighbors, DDoS or unlawful activities. But then again, being on a blacklisted VPS provider is good for business isn’t it?

    4. Poor bandwith. Try pushing X terabytes of PCAPs into the cloud. I dare you. Logs isn’t everything and they rarely provide any context or detail. But then again – what do i know? I’m just a network forensics investigator…

    But yeah, these are all irrational and they could NEVER occur in a real life situation.

    The cloud has it’s use, but not like “one size fits all” pair of socks.

    The word you are looking for is “nuance”.

  • Like any architectural transitions there are leaders and laggards. Just in the past few years I have seen security professionals largely become “cloud first”. Not all of course, as in some rare cases and in some security control domains on-premises is still warranted. But given the economics, ease of deployment and management, the effect of staff outsourcing provided by the cloud, and probably most importantly the value of the community defense or herd immunity provided by cloud services, the percentage or laggards will continue to rapidly shrink.

  • M James Young says:

    Cloud is another version of outsourcing. Data Center admins would lose headcount, budget, and prestige.