* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Secure the Cloud](https://www2.paloaltonetworks.com/blog/category/secure-the-cloud/)
* 3 Myths About Security in...

# 3 Myths About Security in the Cloud

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F04%2Fcloud-3-myths-about-security-in-the-cloud%2F)  
[](https://twitter.com/share?text=3+Myths+About+Security+in+the+Cloud&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F04%2Fcloud-3-myths-about-security-in-the-cloud%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F04%2Fcloud-3-myths-about-security-in-the-cloud%2F&title=3+Myths+About+Security+in+the+Cloud&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2020/04/cloud-3-myths-about-security-in-the-cloud/&ts=markdown)  
\[\](mailto:?subject=3 Myths About Security in the Cloud)  
Link copied  
By [Matthew Chiodi](https://www.paloaltonetworks.com/blog/author/matthew-chiodi/?ts=markdown "Posts by Matthew Chiodi")  
Apr 24, 2020  
6 minutes  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[30 Days of Cloud](https://www.paloaltonetworks.com/blog/tag/30-days-of-cloud/?ts=markdown)  
[Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/tag/cloud-native-security-platform/?ts=markdown)  
[Prisma Cloud](https://www.paloaltonetworks.com/blog/tag/prisma-cloud/?ts=markdown)

###### "We must not be hampered by yesterday's myths in concentrating on today's needs."

###### -- Harold S. Ganeen, former president of ITT, U.S. business leader and IT pioneer

In every field and in every age, there are myths that develop over time. Some are instructive while others are destructive. There are many myths about security in the cloud. I cannot think of one more pervasive than "public cloud is more secure than an on-premises data center." I should know because for the longest time I believed this myself.

But after working with hundreds of businesses around the world and laboring with the [Unit 42 cloud threat research team](https://unit42.paloaltonetworks.com/cloud/) to analyze petabytes of data, I now know it's simply not true. Let's dive in together and discover a better path forward.

## **Myth #1: The public cloud is more secure than an on-premises data center.**

This is one that has been proclaimed by the cloud service providers (CSPs) for well over a decade. When organizations are surveyed, typically one of the top fears around security has to do with the cloud. So it plays well to sell the notion that the cloud is more secure than on-prem, where most compute exists today. But let's be clear, CSPs have a largely stellar track record when it comes to securing their portion of the shared responsibility model. Instances like what is cited [in this recent "Forbes" article](https://www.forbes.com/sites/zakdoffman/2020/01/30/severe-perfect-100-microsoft-flaw-confirmed-this-is-a-cloud-security-nightmare/#3a61db16b4a4) are few and far between. This is the security *of the cloud* versus what customers are responsible for *in the cloud* .

I distinctly remember once in a previous role our CSO asking me, "Do you really think the cloud is more secure than our data centers?" To which I confidently responded, "Absolutely!" In retrospect, I was dead wrong. **Because although the public cloud** ***has the potential*** **to be more secure than a traditional datacenter,** ***most organizations*** [***do not have these environments configured that way***](https://www.paloaltonetworks.com/blog/2019/09/cloud-aws-critical-cloud-misconfigurations/)**.**

In the [2019 Unit 42 Cloud Threat Report](https://unit42.paloaltonetworks.com/cloudy-with-a-chance-of-entropy/), Unit 42 researchers found that 65% of all cloud security incidents were the result of customer misconfigurations. Again, the cloud providers have done a good job at providing *secure services* (APIs, etc.) to cloud consumers. But they have room for improvement when it comes to offering integrated, comprehensive, platform-level controls back to cloud consumers.

In terms of the [shared responsibility model](https://www.paloaltonetworks.com/resources/videos/public-cloud-security-is-a-shared-responsibility), many organizations conceptually understand that they have security work to do in the cloud. However, they often fail to put the necessary processes and controls in place to make it happen consistently. Could there be an underlying psychological basis in this myth, or is it something else?

## **Myth #2: DevSecOps is just about adding "security" or "scanning" to DevOps.**

I've included this one here because, from my experience, DevSecOps is synonymous with public cloud. Yes, it can include on-premises as well. However, we see this only in some of the most advanced environments that run API-driven workloads in highly customized private clouds (think entire data centers, which were purpose-built around specific workloads such as gaming).
![This screenshot shows an Insecure Terraform template.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/04/azurerm.png)
Insecure Terraform template: SSH service on port 22 exposed to the entire internet.

DevSecOps is way more than simply running security scanners. [DevSecOps](https://www.paloaltonetworks.com/blog/2020/03/cloud-native-security-platform-2/) is about completely changing how security, as a function, is planned and executed. In most organizations today, security is a distinct, isolated function. There is not much interaction happening between developers and security -- except for when a new app is scanned a few days before a production launch and a slew of critical vulnerabilities are found.

**The wheels begin to move toward DevSecOps** [**when security teams, developers and IT teams alike advocate and deliver infrastructure and security as code**](https://www.paloaltonetworks.com/blog/2020/03/cloud-break-silos-devsecops/)**.** This is primarily done through immutable infrastructure such as Infrastructure as Code (Iac) templates such as AWS CloudFormation, HashiCorp Terraform and Azure Resource Manager (ARM).

**Historically speaking, security teams and code did not go together. But in the** [**cloud native age**](https://www.paloaltonetworks.com/blog/2019/12/cloud-native-security-platform-age/)**, it is imperative.** And organizations are certainly moving in this direction. In the [Unit 42 Cloud Threat Report: Spring 2020](https://unit42.paloaltonetworks.com/cloud-threat-report-intro/), researchers identified more than 199,000 vulnerabilities in IaC templates. CloudFormation templates were found to be the most vulnerable, with 42% registering at least one or more high- or medium-severity vulnerabilities. Certainly, IaC templates are a key component of a DevSecOps program. However, if a template itself is configured incorrectly, this then means the issue, unfortunately, will be replicated at scale.

Organizations looking to transform from DevOps to DevSecOps should [concentrate first on people and process](https://www.paloaltonetworks.com/blog/2020/02/cloud-3t-shift-left-security/). In a recent webinar, I recommended [five strategic steps](https://www.paloaltonetworks.com/blog/2019/05/cloud-big-cloud-5-holistic-cloud-security-strategy/) organizations could take when making this move.

## **Myth #3: CSPs natively deliver all the security controls a company needs.**

This myth is closely related to No. 1 but has a different rub. While the first is split with varying degrees down the shared responsibility model, this one hits squarely on what's in the scope of the customer's control (and concern).

When any service is provided to a customer, the business providing it has a duty to ensure adequate protections are in place from day one *by default* . Although cloud consumers have largely shirked their accountability in the shared responsibility model, CSPs could do more while still aggressively pumping out new features.

New functionality is the lifeblood of any platform, and businesses have come to depend on the innovation CSPs provide. However, if there aren't equally useful and embedded security features [with secure defaults](https://unit42.paloaltonetworks.com/hunting-the-public-cloud-for-exposed-hosts-and-misconfigurations/) as part of new functionality, something is amiss. Yes, CSPs have some basic security controls on their platforms, and they continue to enhance them over time. However, organizations need more than CSPs can deliver natively. In a recent [Gartner survey](https://www.gartner.com/smarterwithgartner/why-organizations-choose-a-multicloud-strategy/) of public cloud users, 81% of respondents said they are working with two or more CSPs. Enterprise-grade security requires visibility and controls that span multiple cloud providers as well as hybrid clouds. This is why an entire industry sprang up around Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) security as early as 2013, with startups such as Evident.io, RedLock and Twistlock having led the pack.

#### **Defeat the Myths About Security in the Cloud: Never Trust, Always Verify**

As Ganeen said: "We must not be hampered by yesterday's myths in concentrating on today's needs."

This certainly holds true for the cloud. **As security professionals, it is our duty to move our organizations forward into the cloud native world** . This means we must do three things:

1. Advocate for [Zero Trust security models](https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture), which follow the mantra "Never trust, always verify."
2. Promote and encourage automated and scalable security through IaC templates.
3. Adopt [cloud native security platforms](https://www.paloaltonetworks.com/blog/2020/03/cloud-native-security-platform-2/) that work cohesively with multiple cloud service provider APIs, as well as integrate organically into development pipelines no matter where the pipeline lives.

In order to reap all the business benefits cloud has to offer, we must ensure that myths are dispelled with both facts and action.

*There are countless other myths about security in the cloud. Which ones did I miss? Connect with me on* [*LinkedIn*](https://www.linkedin.com/in/mattchiodi/)*and let me know.*

*For more insights from cloud security thought leaders, view sessions from the* [*Cloud Native Security 2020 Virtual Summit*](https://vshow.on24.com/vshow/Palo_Alto_Networks/registration/16700)*for free and on-demand.*

This post originally appeared on [The New Stack](https://thenewstack.io/3-myths-about-cloud-security/).

*** ** * ** ***

## Related Blogs

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### The Best Method to Secure the Cloud Starts Offline](https://www2.paloaltonetworks.com/blog/2020/03/cloud-secure-the-cloud/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Breaking Down Silos with DevSecOps](https://www2.paloaltonetworks.com/blog/2020/03/cloud-break-silos-devsecops/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### The Future of the Cloud Native Security Platform: Q\&A with John Morello](https://www2.paloaltonetworks.com/blog/cloud-security/cloud-native-security-platform-qa/)

### [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Prisma Cloud 2.0 Just Launched: Why a Comprehensive CNSP is Essential](https://www2.paloaltonetworks.com/blog/2020/10/cloud-comprehensive-cnsp-essential/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Prisma Cloud 2.0: The Industry's Most Comprehensive CNSP](https://www2.paloaltonetworks.com/blog/2020/10/cloud-evolution-comprehensive-cnsp/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Highlighting the Latest Compute Security Capabilities in Prisma Cloud](https://www2.paloaltonetworks.com/blog/2020/04/cloud-compute-security/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language