SAN FRANCISCO - Security remains a sticking point for organizations contemplating moving data and applications to a cloud provider, but a study released Monday by Alert Logic debunks the notion that cloud provider security is worse than traditional on-premise IT security.
The company, a Houston-based provider of security SaaS and managed security services, analyzed data gathered from its base of more than 1,500 customers with IT infrastructure either in-house or with cloud or hosted service provider environments. According to the study, which ran from July 2010 to June 2011, service provider environments showed lower frequency rates for every class of security incident and experienced a narrower set of threats.
At the same time, on-premise environments were 12 times more likely to have misconfiguration issues that could open the door to attackers and also a higher rate of Web application attacks.
“The data doesn’t support the notion that service providers are less secure,” said Urvish Vashi, vice president of marketing at Alert Logic.
The study looked at 2.2 billion security events, for evidence of suspicious behavior detected by an IDS signature; of those events, 62,000 were verified by Alert Logic analysts as security incidents. For example, a single port scan is an event while a series of port scans over a period of time from a host identified as an attack source is an incident, Vashi said.
Looking at three factors affecting an environment – how likely was it to be hit by a particular type of incident, how often, and how many types of threats – Alert Logic found big differences between service providers and on-premise IT. Malware/botnet incidents struck 43% of on-premise environments, but only 2% of service provider environments, and Alert Logic saw a greater percentage of misconfiguration-based incidents among on-premise customers (12% vs. 1% among service providers).
Both types of environments were highly likely to suffer Web application attacks, but Vashi said they were more prevalent in in on-premise environments compared to service providers (71% to 65%).
Some of the differences – particularly the huge disparity in malware incidents – can be explained by the fact that service provider environments often have fewer nodes and operating systems, which provides a smaller attack surface, Vashi said. In comparison, on-premise infrastructure tends to have a lot of desktops, mobile endpoints and many operating systems, providing more network entry points for attackers.
Wendy Nather, research director in The 451 Group’s enterprise security program, said AlertLogic’s report was generally well done but contains some ambiguities.
“They describe ‘incidents’ as either attacks or as misconfigurations (vulnerabilities). I'm trying to figure out whether attackers deliberately used different types of attacks on enterprise premise networks as opposed to hosting providers, or whether these numbers indicate that there were the same kinds of attacks for both, but different vulnerabilities that were exploited successfully (and the two environments are vulnerable to different things),” she said in an email.
“In order for me to buy the claim that cloud service provider environments are more secure, I'd have to see they were less vulnerable, not that they were less targeted,” she added.
In response, Vashi said through a spokesperson that he likens the situation to walking through a neighborhood where you are more likely to be attacked vs. a neighborhood where attacks are less frequent. But by describing the types and volumes of attacks they’re seeing instead of whether environments are vulnerable to them weakens Alert Logic’s argument because attacker motivation can shift over time, Nather said.
The study encompassed 19 service providers, including Rackspace and NaviSite; across the customers studied, 82% involved hosted and cloud environments, while 18% were on-premise environments at organizations of various size.
“This report is targeted at business application owners who take security seriously and are trying to understand what the security implications are in moving data to the cloud,” Vashi said. “We think this will help inform their decisions.”
Third parties often are held to a different standard than internal operations, he said. “We think the question should be around understanding how that risk is different.”
The study indicates that Web application security is a challenge for both internal IT operations and service providers, Vashi said. To that end, Alert Logic is bolstering its Web application security capabilities with the acquisition of Web application firewall provider Armorlogic. Alert Logic announced the acquisition last week; the company plans to integrate Armorlogic's WAF technology with the security SaaS model.
“We think the biggest challenge in WAF space is they’re hard to use. If [you] don’t tune them right, your application breaks,” Vashi said. “We think the missing link for broad WAF adoption is that you need great technology matched with great service. …We’ll transform their off the shelf, enterprise perpetual license model into a SaaS product with integrated managed service.”
View all of our RSA 2012 Conference coverage.