The number one concern cited for avoiding cloud computing is security. And there is a reason for that. Cloud providers have demonstrated some spectacular failures in the past, including Amazon’s near total shutdown of an entire region, Dropbox’s authentication snafu, and innumerous cloud providers that go belly-up.

However, in the long run, cloud computing is destined to become more secure than in-house IT. I will briefly describe two dynamics in the industry that point in that direction, with substantiating evidence.

First, good cloud providers are getting better, as they have more staff available to do security, and bigger economies of scale, allowing them to sustain more security processes. Here is a case in point. Security people are, by nature, pretty paranoid. However, some are more paranoid than others. At a cloud security training I recently conducted, one of the attendants had created an Amazon Web Services account solely for the training. He terminated the entire account on the last afternoon. Just before the training was over, he showed me a message on his smartphone. Within an hour after he terminated the account, his LinkedIn profile was visited by somebody from the Amazon compliance department. Apparently his behavior was suspect. Either that, or they played a game on who can be the most paranoid.

As another example, does your IT department track rogue resource usage and credential leakage on a systematic basis? Some cloud providers do this for you, as this story of API credential leakage demonstrates.

Second, while the previous examples show that cloud providers can become better than the average IT department across the board, in specific areas specialized services are already way ahead of the competence and resources of the average IT department. This is nowadays called ‘Security as a Service’, or SecaaS (another example of an acronymic cloud nonomatopoeia), but the trend has roots that go back quite a while. Basically the idea is that a lot of security functionality is done in a better way by taking advantage of cloud computing essential characteristics such as elastic scalability and resource pooling.

Examples of SecaaS that you may be familiar with or are actually using are: Email spam and malware filtering, blacklist and other reputation services, DDoS mitigation and monitoring (i.e. performance). We are also seeing companies using cloud services as a component of a disaster recovery strategy. Innovation in this field is strong.

So, in conclusion, the market is nearing a ‘tipping point’ where the cloud may actually be more secure than on-premise IT.