The question still comes up whether cloud computing environments are as safe as on-premises deployments. The specific answer will depend on the security measures implemented in each environment, but a new report out last week suggests that overall the "cloud is not inherently less safe than the enterprise data center." Other key findings include that enterprise data centers are targets for more sophisticated, targeted attacks; and that in both environments, web application attacks are a significant problem.
This latest State of Cloud Security Report is the third in a series produced by security vendor Alert Logic. I'm unavoidably suspicious of reports from vendors that support their own products, but the methodology of this one seems reasonably sound. Data was collected between April 1 and September 30, 2012, from Alert Logic customers using real-world environments. In other words, these aren't test locations or labs, and the data isn't based on surveys. The report draws from a very large sample set of security incidents, but perhaps the one drawback is that they collect data only from customers who have already chosen the Alert Logic service.
The report looks at several types of network security threats and comes to the conclusion that across the range of attacks, cloud hosting providers are no more at risk than are enterprise data centers. In areas such as brute force attacks, vulnerability scans, and malware/botnets, enterprise data centers were more likely to be targeted, if only slightly in some cases. The only attack type more common for service providers was for web applications.
Web applications as a threat vector could be of significant concern for many organizations. With the rise of cloud computing, companies have become accustomed to subscribing to web applications -- Microsoft Office 365 for Office apps, Salesforce.com, Adobe Creative Cloud. Add to that the unofficial web apps your end users might be using, often for business purposes without oversight from the IT department, and you could be running many more web apps than you think, each one a potential security hole.
The State of Cloud Security Report is interesting not just for its raw numbers but for the fact that it also provides suggestions for why certain attacks are prevalent in each environment as well as guidance for organizations to help reduce their vulnerability. For instance, the report suggests that enterprise data centers remain targets for more sophisticated attacks, such as phishing or spear phishing, because companies continue to keep their most valuable information in their own data centers. Criminals will make the most determined efforts for the best possible payoffs.
The report recommends monitoring and reviewing log data as well as maintaining up-to-date antivirus software and patch management as preventive measures against attacks -- as you would expect. What they don't call out, however, is the importance of end-user education for implementing strong security. As an IT pro, you should make sure security training is part of every employee's development.
If you give your users the ability to run web apps or download from the Internet, have you also helped them to recognize a trustworthy site from a less-secure one? Have you explained phishing attacksand what to do if they get a suspicious email? Your end users might be highly intelligent -- whether they work in health care, accounting, education, or whatever -- but it's unlikely they have the level of technological engagement that you do as an IT pro. In other words, what might seem obvious to you probably isn't to your average end user -- at least, not until you teach it to them.
You can download the full State of Cloud Security Report from the Alert Logic website. It's certainly worth a closer look.
You can't get away from the connected world these days. However, you can educate yourself about security threats, and help your users with best practices as well, and provide a safer environment for your company -- whether you're in the cloud or on premises.
Learn More: Trusting Cloud Computing