The question of whether to move data, infrastructure, and web sites to the cloud is often marked by indecision.  The acknowledged benefits – cost and time savings – are carefully weighed against perceived risks – loss of control or security.   

Those who choose to move data or applications to the cloud are sometimes seen to have chosen convenience at the expense of security.  It can seem counter intuitive to look to the cloud to provide security.  For certain tasks, especially those requiring scale and intelligence, the cloud is the best place to provide security.

Let's start with the easier of the two points:  Why the cloud for scale? Moore's law famously states that the number of transistors on a capacitor doubles every 18 months.  The lesser known “Butter's Law” predicts that network throughput doubles every nine months.  As a result, today's on-premise application firewalls have been engineered to offer staggering throughput capacities compared to those offered four, five or 10 years ago.  

The most popular firewall vendors offer high-end models that can handle up to 2 Gbps.  Those capacity levels mean devices can handle more traffic than they can lease from their ISP – especially if they are stringing together a few application firewalls with a load balancer.  Those capacity levels also represent around four times the max throughput offered by firewall vendors in 2010, according to observation at Akamai.  As such, the maximum capacity of application firewalls has doubled every 12 months, slightly faster than Moore's law, and slower than Butler's law, but nevertheless impressive. 

Meanwhile, the bad guys whom the WAF is meant to thwart are also sitting behind an upstream provider. They have their own appliances used to launch attacks that are both enabled and limited by the same technological laws.  However, attackers generally have fewer qualms about using the cloud to their advantage.  For them, it offers physical resources as well as the chance to collaborate and share tools. And though they are usually fastidious about their own privacy, they do not have the privacy of customers to protect.  For this reason, as mercenaries have offered botnets for rent, we have seen the average size of distributed denial-of-service (DDoS) attacks grow more than 7 fold in the past 4 years – nearly double the rate of on premise WAF capacity growth.  We have seen the speed at which passwords are guessed by cloud-hosted password cracking services increase at similar rates.

Given the nature of their architectures, the cloud will always include more hardware, throughput and processing power than the individual organization(s) datacenter(s). The organizations that do not take advantage of the cloud to acquire scale will always be at a disadvantage when fighting attacks that require scale. 

Etymologically speaking, information is collected to make knowledge and data is collected to make information.  Knowledge about attackers has a prerequisite: data. Although intelligence requires more than just knowledge – and data – ultimately data is a pre-requisite for knowledge.  Generally speaking, the more data organizations have, the more potential to turn data into intelligence. 

Scale matters in terms of generating intelligence.  If an organization doesn't allow itself to learn from data in the cloud, they subject itself to the same disadvantages that the organization relying on hardware to block attacks.  Namely, the organization is limited to data that is:

1)      Gathered themselves

2)      Defined as “public”

3)      “Fits” through their upstream pipe

4)      Can be physically stored

Big Data is getting more enormous every day.  In order to gather and analyze big data, an entity must access information from different sources.  There are few organizations that are producing enough information to gain a holistic view of attack trends.  Those organizations aren't in the business of analyzing data, nor do they necessarily have the means to do so.  In order to analyze data, you need to store it, or at least store information about it, which requires space.  IDC estimated that as early as 2009 the ability to store data was outpaced by the rate at which data was proliferating by 25 percent, and that today it is outpaced by more than 300 percent [1]

The cloud has access to data from multiple organizations.  Provided that the cloud provider is trusted they should be in a better position to provide intelligence. 

So the cloud, though initially seen as an enemy, is well-suited to provide security.  When security requires scale – for fighting DDoS attacks or inspecting web requests for malicious intent -- the cloud may be a pre-requisite for providing security.  And when security requires intelligence-- or in other words the ability to gather, store, and analyze data -- the cloud is a necessity. 

[1] IDC “Global Information created and available storage” 2009