As cloud adoption continues to grow in Indonesia, various myths about cloud security are causing many companies to remain hesitant. In fact, when managed with the right strategy and controls, the cloud can provide a stronger security foundation compared to on-premises systems.
This article uncovers seven of the most common cloud security myths in Indonesia, along with facts, challenges, and solutions to help your company adopt the cloud more securely.
Myth: On-Premises Is Safer
In essence, both on-premises systems and cloud computing have their own advantages and disadvantages. Choosing the best option depends on the organization’s specific needs, the sensitivity level of the data, budget, regulatory compliance requirements, and scalability demands as the business grows.
If your company stores highly sensitive data and must comply with strict regulations, on-premises may be the more suitable choice. Meanwhile, for businesses that require scalability, flexibility, and cost efficiency, cloud computing can be the better option. However, many still believe that storing data in their own infrastructure (on-premises) is automatically safer than the cloud.
Fact:
Cloud security follows the shared responsibility model—cloud vendors are responsible for security “of the cloud” (infrastructure), while customers are responsible for security “in the cloud” (OS, applications, data, and network configurations). With the right controls (IAM, encryption, micro-segmentation, posture management), cloud security can even surpass on-prem. AWS, for example, explicitly outlines customer responsibilities for OS, patching, applications, and network controls.
The strength of the cloud lies in its security by design at hyperscale (HSM, KMS, Nitro/TPM, centralized logging) combined with automated compliance. However, the final outcome still depends heavily on internal security hygiene (hardening, patching, least privilege principles, and access controls).
Myth: Cloud Data Must Be 100% Stored in Indonesia
Before the enactment of the Personal Data Protection Law (PDP Law), Indonesia lacked a comprehensive regulation on privacy and personal data protection. Data protection was regulated separately across different sectoral or issue-based regulations.
The government then passed Law No. 27/2022 on Personal Data Protection, which took full effect on October 17, 2024. This law requires data controllers/processors to implement technical and operational measures to protect personal data. Data localization rules vary: public sector operators follow different requirements compared to private ones (GR 71/2019). Many sectors are allowed to store or replicate data across borders as long as legal, contractual, and cross-border safeguards are met.
Fact:
While the PDP Law requires strict protection of personal data, not all data must remain in Indonesia. Only strategic data—such as military, energy, or national security—must be stored in local data centers.
This means companies can still leverage cross-border cloud as long as they comply with applicable laws, contracts, and regulations.
Myth: Compliance = Security
Compliance (PDP, OJK, ISO 27001, SOC 2) is a baseline, not a silver bullet. Having complete certifications doesn’t guarantee the security of your cloud systems.
According to Cisco’s Cybersecurity Readiness Index 2025, only 9% of organizations in Indonesia are classified as “Mature,” with the rest at Formative/Beginner levels—indicating a gap between “having controls/certifications” and “real resilience against modern threats” (misconfigured cloud, leaked identities, AI-assisted attacks).
Fact:
Compliance is a baseline, not a guarantee. Many security incidents occur due to misconfiguration, leaked credentials, or uncontrolled excessive access. Companies need proactive strategies such as zero trust, layered monitoring, and employee training. Compliance is important, but it should not be the final step.
Myth: Indonesia Is Not a Ransomware Target
In 2024/2025, ransomware remains the top threat across all environments—on-premises, hybrid, and multi-cloud. Ransomware can cause severe consequences across industries, from massive data loss to the public exposure of sensitive information.
Some believe ransomware primarily targets developed countries.
Fact:
Research by SOCRadar identified 130 reported ransomware attacks, with Indonesia ranking as a primary target in 24 cases and being the most affected in 106 other global incidents. The manufacturing sector topped the list, followed by professional, scientific, and technical services, while the information sector was least affected.
Strong data backups, identity segmentation, and access controls in cloud environments are critical defenses against ransomware.
Myth: Encryption Alone Is Enough
Encryption is the process of converting readable data into an unreadable format (ciphertext) to prevent unauthorized access, use, or duplication. While essential, encryption alone does not guarantee complete protection.
Encryption (at rest/in transit) is mandatory, but encryption keys, access management, and configurations play a far greater role. The danger lies in assuming encryption automatically ensures full protection.
Fact:
Encryption is essential, but not sufficient. Many security incidents stem not from weak encryption algorithms but from misconfigurations (e.g., public access left open) or leaked credentials. Cloud security requires a combination of encryption, strict access management, and continuous identity monitoring.
Myth: Security Must Be Expensive
As cyberattacks become more sophisticated, companies are rethinking how they manage IT operational complexity, especially network security, access management, and security analytics. This has led to the belief that cloud security always comes at a high cost.
Fact:
Modern technologies such as Identity & Access Management (IAM) and Cloud Native Application Protection Platforms (CNAPP) enable companies to strengthen security more efficiently. With the right approach, security doesn’t always have to be expensive. In fact, the cloud can reduce operational costs while enhancing data protection.
Identity & Access Management (IAM): Essential for managing access scenarios in hybrid cloud and third-party platforms. IAM frameworks lay the foundation for zero trust, ensuring only authorized users with proper permissions can access sensitive company information.
Cloud Native Application Protection Platforms (CNAPP): A unified platform integrating various security solutions to protect cloud-native applications. CNAPP provides full-stack protection under a single control system, ensuring comprehensive cloud security.
Myth: Single Cloud Is Safer
Many companies believe relying on a single cloud provider reduces security complexity. In reality, modern threats are platform-agnostic. A single-cloud strategy is not necessarily safer—it can even introduce risks like vendor lock-in, single points of failure, and limited flexibility in responding to incidents.
Fact:
Single cloud strategies create risks such as vendor lock-in or single points of failure. For this reason, many organizations now adopt multi-cloud or hybrid cloud strategies for resilience and compliance.
In Indonesia, multi-cloud and hybrid cloud adoption is growing due to resilience, compliance, and best-of-breed needs. For instance, one cloud may be chosen for performance and scalability, while another ensures data residency or supports specific workloads.
However, multi-cloud also brings new security challenges:
Identity & access: Requires identity federation and CIEM (Cloud Infrastructure Entitlement Management) to prevent cross-platform over-privilege.
Network security: Different cloud network architectures demand policy orchestration for consistent operations.
Visibility: Centralized logging, monitoring, and threat detection are essential to eliminate blind spots.
Compliance: Regulatory mapping (PDP Law, OJK, ISO 27001) must remain consistent across multiple clouds.
While multi-cloud is more complex, with zero trust and policy-as-code approaches, security can remain consistent.
Conclusion
Cloud security myths often discourage companies from digital transformation. In reality, with an understanding of shared responsibility, strict identity and data controls, and compliance with local regulations such as the PDP Law, the cloud can actually be more secure than on-premises.
By 2025, cyber threats in Indonesia are becoming increasingly complex—from ransomware to data leaks and misconfigurations. However, with the right strategy, the cloud can serve as a strong security foundation while supporting business efficiency.
CBNCloud is here as your trusted partner to help build a strong cloud security posture, backed by regulation-compliant infrastructure, an experienced local team, and 24/7 managed services.
Contact the CBNCloud team today for a cloud security consultation and discover how the right strategy can protect your digital assets while accelerating your business transformation.