Security is often a showstopper for cloud computing proposals, but at least one survey suggests that applications and data may be somewhat more secure out in the cloud than within on-premises systems.
In fact, cloud-based applications are less likely to be attacked than on-premises environments, a new study of 70,000 security breaches for a 12-month period across 1,600 companies, released by by Alert Logic, a security vendor, concludes.
An area of greater vulnerability is "web application attacks "-- seen more frequently in the cloud. The study's authors define a web application attack as "attacks targeting the presentation, logic or database layer of Web applications." Overall, Web application attacks remain the most significant threat for service provider environments (53% customers impacted) and the second most significant threat in on-premise environments (44% of customers impacted).
However, on-premises Web application systems get hammered more frequently with attacks, the study shows. The average number of web application attacks is 61.4 among on-premise customers and 27.8 on service provider customers. Brute force attacks and reconnaissance attacks were also experienced with higher frequency in on-premises environments.
On-premises systems were also more likely to have been subjected to other forms of security breaches. For example, 46% of corporate systems were hit by "brute force" attacks, versus 39% of cloud providers. (In the study, a brute force attack is defined as ones that enumerate "a large number of combinations" in access attempts, "typically involving numerous credential failures."
In addition, malware slipped into 36% of on-premises systems, versus only 4% present within cloud service providers' systems.
Who suffered the most? IT Services companies that have a public presence experienced a large number of Web application attacks, the report notes. About 22% of of these sites experienced security incidents. "There are also constant brute force attempts to gain access to these environments, likely because of the number of individuals with escalated privileges, access to servers and network configurations that make them useful to attackers."
There are two takeaways from this study. First, on-premises systems and applications aren't necessarily more secure than those in the cloud. In fact, many cloud providers have strict security policies and procedures, and likely adhere to auditing standards such as SAS-70. The second takeaway is that security is a commitment that doesn't go away or is "outsourced," even when systems and applications are run by a third-party cloud provider. It doesn't matter if an application or service comes from an on-site or off-site provider, security needs to be baked in to the architecture, and there needs to be plenty of awareness and support from management:
"Given the prevalence of unsophisticated attacks, such as brute force and reconnaissance, in both cloud and on-premise environments, and across all industries, the fundamentals apply: multi-layer security, close attention to basic management practices, such as patch management and upgraded operating systems, and use of monitoring and defensive technologies to identify and stop attacks. When selecting cloud service providers, enterprises should consider the rigor and application of these fundamentals in their evaluation process. the quality of management applied to any IT environment that drives good security."
