Web Applications Biggest Threat, Says Cloud Security Report

RSS

The question still comes up whether cloud computing environments are as safe as on-premises deployments. The specific answer will depend on the security measures implemented in each environment, but a new report out last week suggests that overall the "cloud is not inherently less safe than the enterprise data center." Other key findings include that enterprise data centers are targets for more sophisticated, targeted attacks; and that in both environments, web application attacks are a significant problem.

This latest State of Cloud Security Report is the third in a series produced by security vendor Alert Logic. I'm unavoidably suspicious of reports from vendors that support their own products, but the methodology of this one seems reasonably sound. Data was collected between April 1 and September 30, 2012, from Alert Logic customers using real-world environments. In other words, these aren't test locations or labs, and the data isn't based on surveys. The report draws from a very large sample set of security incidents, but perhaps the one drawback is that they collect data only from customers who have already chosen the Alert Logic service.

Related: Future Clouds Will Be Safe, Says Symantec

The report looks at several types of network security threats and comes to the conclusion that across the range of attacks, cloud hosting providers are no more at risk than are enterprise data centers. In areas such as brute force attacks, vulnerability scans, and malware/botnets, enterprise data centers were more likely to be targeted, if only slightly in some cases. The only attack type more common for service providers was for web applications.

Web applications as a threat vector could be of significant concern for many organizations. With the rise of cloud computing, companies have become accustomed to subscribing to web applications -- Microsoft Office 365 for Office apps, Salesforce.com, Adobe Creative Cloud. Add to that the unofficial web apps your end users might be using, often for business purposes without oversight from the IT department, and you could be running many more web apps than you think, each one a potential security hole.

The State of Cloud Security Report is interesting not just for its raw numbers but for the fact that it also provides suggestions for why certain attacks are prevalent in each environment as well as guidance for organizations to help reduce their vulnerability. For instance, the report suggests that enterprise data centers remain targets for more sophisticated attacks, such as phishing or spear phishing, because companies continue to keep their most valuable information in their own data centers. Criminals will make the most determined efforts for the best possible payoffs.

The report recommends monitoring and reviewing log data as well as maintaining up-to-date antivirus software and patch management as preventive measures against attacks -- as you would expect. What they don't call out, however, is the importance of end-user education for implementing strong security. As an IT pro, you should make sure security training is part of every employee's development.

If you give your users the ability to run web apps or download from the Internet, have you also helped them to recognize a trustworthy site from a less-secure one? Have you explained phishing attacks and what to do if they get a suspicious email? Your end users might be highly intelligent -- whether they work in health care, accounting, education, or whatever -- but it's unlikely they have the level of technological engagement that you do as an IT pro. In other words, what might seem obvious to you probably isn't to your average end user -- at least, not until you teach it to them.

You can download the full State of Cloud Security Report from the Alert Logic website. It's certainly worth a closer look.

You can't get away from the connected world these days. However, you can educate yourself about security threats, and help your users with best practices as well, and provide a safer environment for your company -- whether you're in the cloud or on premises.

Learn More: Trusting Cloud Computing

Follow B. K. Winstead on Twitter at @bkwins
Follow Windows IT Pro on Twitter at @windowsitpro

Discuss this Blog Entry 1

on Apr 7, 2013

I agree that "Web Applications Biggest Threat". I also agree that "Future Clouds Will Be Safe". But there are many reasons behind these data security issues in cloud services. First and foremost is that the architecture is fundamentally based on sharing resources and moving data around for collaboration and scalability. This contradicts the basic principles of data security and compliance, which focus on restricting access and controlling data flow. Once the data is out of organizations’ hands and into the cloud, how can security be assured?
If the platform cannot be protected by the organization, then the data itself must be secured before it reaches the cloud. The primary means to this is in granular, selective data protection, via tokenization or masking, to allow different classification levels. Tokenized or masked data holds no value to a potential thief, and allows applications to operate on selective portions of the data that bleed through.
The data will then be secured across the enterprise and into the cloud, and only via policy retained at the organization’s security center can the sensitive data ever be revealed to authorized parties or applications that require it. A separation of duties, isolating security administration to security personnel, can ensure protection from internal threats.
Since the data itself is secured, this can reduce the requirements for auditing and monitoring, which are also issues in a cloud environment.
Practicing in this way can allow organizations to rest easy, knowing that their data is safe wherever it goes, and continue to take advantage of the numerous efficiencies in cloud computing.

Ulf Mattsson | CTO | Protegrity (m) +1.203.570.6919

Please or Register to post comments.

What's Cloud Computing?

Cloud computing information, news, and tips covering Hyper-V, IaaS, PaaS, private cloud, public cloud, SaaS, security, trends, and more.

Contributors

B. K. Winstead

B. K. Winstead is a former editor for Windows IT Pro specializing in Exchange Server, messaging, mobility, unified communications, and cloud computing.

Jeff James

Jeff James is a former editor for Windows IT Pro.
Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×