Top 5 Cloud Security Myths Exposed

When organizations migrate to the cloud, they don’t just benefit from the agility offered by cloud solutions. Several negative tensions are created, largely due to inexperience working with cloud solutions. This combination of benefits and tensions created several myths about the cloud which are still prevalent today.


With projections for the worldwide public cloud services market expected to grow it's time to finally put these myths to rest.

Cloud image

Myth #1: The Cloud Is Unsafe

The cloud itself is not inherently unsafe. When used properly, it is no less safe than a typical data center. Throughout the FireEye Mandiant incident responses conducted on public clouds, we have yet to see a case where the cloud infrastructure itself was exploited. Improper cloud configuration or vulnerable customer code has been discovered, but not flaws in the cloud provider’s code or infrastructure. In fact, 94% of small businesses have reported security benefits after moving to the cloud1.

Granting and administrating permissions to customize a cloud environment creates vulnerabilities which tend to be the cause of security issues for many organizations.

Knowing is half the battle webinar

Myth #2: My Organization Doesn’t Use The Cloud

The term “cloud” includes the category of software as a service and virtually every organization uses some form of web service, whether it is for human resources, banking, shipping, content management, web hosting or any of the other activities that take place in a modern business. Even if organizational policy does not explicitly permit cloud services, or no overt evidence of cloud service usage exists, your organization may still rely on the cloud.

Pie charts

Myth #3: My Cloud Provider Will Keep Me Secure

Under the shared responsibility model, the cloud tenant is the ultimate custodian of their data and is responsible for safeguarding it. The cloud provider ensures that the facilities are secure, the hardware is not compromised and the underlying software and operating systems of any services offered are secure. It is up to the customer to make sure that virtual machines are patched, applications are not vulnerable and permissions are appropriate.

Safeguarding the cloud consists of three high-level activities:

Protect credentials used to access resources and monitor for compromise

Be vigilant for and guard against misconfiguration

Centralize telemetry data for visibility to support security monitoring to audit trails

Since cloud providers won’t be intimately familiar with every organization’s line of business, it is ultimately the organization’s responsibility to verify that their data is secured.

Myth #4: The Cloud Is Just Someone Else’s Computer

Securing the cloud is not like securing a computer in someone else’s data center. Microseconds of hundreds or even thousands of computers are used to fulfil a simple request. Your file is not stored on just one server in a set location; it goes on dozens of servers. There are storage services, containers and other non-traditional services to consider in addition to more familiar virtual machines. These services may be comprised of hundreds or thousands of real servers spread across many data centers, all to fulfil a single service request.

The traditional data forensic analysis you used to do on a server still needs to happen—it just happens in a very different way. Additional visibility requirements and more planning are required to provide security controls and instrumentation around distributed and non-discrete computer offerings. These services may have an API to use, but the concepts of IP addresses and operating systems often don’t apply.

Data Center

Myth #5: Advanced Adversaries Aren’t Attacking The Cloud

Attackers follow data. As data goes into the cloud, so will the attackers. Approximately one quarter of our Mandiant incident response engagements involves assets housed on a public cloud and almost all of them involve the public cloud in some way. The cloud does not hinder threat actors—they easily adapt their tools, tactics and procedures to compromise cloud accounts to get access to confidential data, steal computing resources and spy on targets.

The average organization can move more quickly and lower costs by moving to the cloud, but they should understand that anything of value they put there will be a target and they need to protect resources accordingly. This means they should not only implement basic best practices for cloud security, but also have their security operations ready to actively hunt down advanced attackers that pursue data into the cloud.

To learn more about cloud security, visit:

  • 1 Microsoft. Driving Growth Together: Small Business and the Cloud
  • 2 (Sept 2018) Cloud: The Picture in 2018 and Beyond
  • 3 451 Research (Jan 2019) Going Hybrid: Demand for Cloud and Managed Services Across Asia-Pacific
  • 4 Forbes (Jan 2018) 83% of Enterprise Workloads Will Be In The Cloud By 2020