Cloud platforms have historically had an undeserved poor reputation for security compared to dedicated hardware. Much of that reputation was due to the ingrained suspicion of IT professionals who were used to having complete control of the physical infrastructure layer. If they didn’t have control over and insight into the bare metal, they weren’t prepared to trust the platform. In some ways, that’s admirable — their job is to protect the company and its data.
In reality, and as time has shown, there’s no real reason to think that a proven cloud provider is any less capable of securing infrastructure than in-house teams are. In fact, there’s every reason to think that cloud infrastructure providers have the expertise, the incentive, and the technology to do a better job of building and managing a secure platform than most company’s in-house IT departments.
Some of the security concerns were the result of uncertainty about the virtualization technology itself. Public cloud platforms share physical infrastructure between organizations. That’s not true of hosted and colocated dedicated servers.
The lessons of a decade of public cloud have been learned, and it’s fair to say that virtualization technology has proven itself secure. Virtualization technology has matured and is now thoroughly battle-tested.
And for companies that prefer to be the only user of physical hardware, private cloud platforms bring many of the same advantages as the public cloud on single-user infrastructure.
That’s not to say the cloud is inherently secure. Of course, it isn’t. The security of a cloud platform is entirely dependent on the expertise of the provider and their implementation. It’s possible to build a cloud platform riddled with vulnerabilities, just as it’s possible to build a vulnerable dedicated platform. Before choosing a cloud platform or a bare metal infrastructure platform, organizations should look carefully at the track record and external certifications of the vendor.
There are a number of factors that should influence an organization's choice of dedicated servers or cloud servers, but — all else being equal — the security implications of that choice should not override other factors.
For smaller companies without substantial in-house expertise, there’s another reason to be hesitant about the cloud — many cloud platforms offer almost no client support or management services. Smaller organizations relying on inadequate in-house expertise are at risk regardless of whether they’re hosted on dedicated or cloud infrastructure.