Are cloud environments fundamentally less secure than traditional IT infrastructure hosted in enterprise data centers?
If you want to attack me -- and just me -- it's probably easier when I'm home sleeping than it is when I'm standing in a crowd -- at least if you want to be stealthy about it.
founding partner, Security Curve
This is the question that Alert Logic Inc., a Houston-based cloud Security as a Service provider, wanted to test with its State of Cloud Security Report last year. The Spring 2013 update, released today, represents the third version of the report, and provides another six months of data to analyze.
The company said its findings suggest cloud environments present no more inherent risks than traditional enterprise data centers. With the exception of Web application attacks, it found that cloud infrastructures experienced a smaller volume and variety of security incidents.
The report accumulated data from more than one billion security events experienced by Alert Logic customers, and included a split of 81% utilizing Infrastructure as a Service services from a cloud hosting provider, and 19% managing their own infrastructure in a traditional enterprise data center. Of those events, 46,475 (.46%) were verified as security incidents by Alert Logic analysts. The report focused on how vulnerable both types of environments were to certain types of attacks, how often they would be attacked and how many threat types would target each environment.
Alert Logic stated that the enterprise data center environment was hit by 2.5 types of threats on average; in comparison, cloud hosting provider environments were hit by 1.8 types. The report noted that this does not necessarily indicate that an environment is more secure, just that a different security posture is required. Enterprise data center environments also experienced far more frequent attacks from the top three incident classes, including brute-force attacks, Web application attacks and malware/botnets, than their cloud counterparts.
According to Urvish Vashi, vice president of marketing for Alert Logic, the statistics it has accumulated over the course of a year provide a clear rebuttal to any cloud security concerns.
"The evidence that hosted and cloud environments are inherently more threat-prone, more attack-prone than enterprise data center environments," Vashi said, "once again, for the third time in a row, is just demonstrated to be factually inaccurate."
The main thrust of Alert Logic's argument relied on the type of attacks each environment attracted. Vashi explained that incidents in cloud hosting provider environments tended to be "crimes of opportunity", whereas enterprise data center environments were more likely to experience targeted attacks. As an example, he cited the 49% of enterprise data center customers that experienced incidents with malware and botnets. In comparison, only 5% of customers that rely on cloud hosting providers were targeted by the same attacks. Vashi did note that the numbers may be affected by the reluctance on the part of enterprises to move the most sensitive -- and thus highly valued -- data to the cloud.
"Certainly, there's probably some element of that in practice," he said. "I think the fear of moving some infrastructure to a hosted cloud environment means, among other things, that customers are less likely to put some of their most sensitive data there. So I think there's some truth to the attacks focusing on where the data is on some level."
Still, Vashi contended that some of Alert Logic's customers are companies that live entirely online, meaning that all of their sensitive data lives in the cloud. John Whiteside, product marketing manager for Alert Logic and author of the report, noted that it will be interesting to see if targeted attacks follow the most sensitive data to the cloud in the coming years.
Ed Moyle, founding partner with Amherst, N.H.-based security and compliance consulting firm Security Curve and a SearchCloudSecurity contributor, downplayed the idea that sensitive data isn't moving to the cloud, as even organizations that try to prevent such movement still have data slipping out. Instead, he felt the data may point towards the cloud being a more difficult target for such attacks.
"I'm wondering if it might have to do instead with the difficulty -- from an attacker's point of view -- in finding a particular organization's resources in a multi-tenant environment," he said. "Meaning, if you want to attack me -- and just me -- it's probably easier when I'm home sleeping than it is when I'm standing in a crowd -- at least if you want to be stealthy about it."
Web applications need better security
Unsurprisingly, Web application attacks continue to be the most significant threat to cloud hosting provider environments, with 52% of Alert Logic-monitored cloud environments affected. This was also the only attack vector where cloud customers experienced a higher percentage of attacks; in comparison, a still hefty 39% of enterprise data center customers were targeted by Web application attacks.
The report singled out SQL injection attacks as being a thorny issue regardless of infrastructure: Vashi highlighted the automated attack tool Havij as being particularly problematic, accounting for roughly 40% of the recorded Web application attacks. Havij is not the only automated tool that threatens Web applications though, as hacker groups recruit less-sophisticated participants to help them propagate what Vashi described as "broad-scale attacks".
"[Sophisticated attackers] write [graphical user interface] GUI-based tools to help their hordes and armies perpetrate these attacks," Vashi said. "What that really sort of reinforced for us: It's not like we're ever going to have fewer Web applications … it just means putting a greater focus on Web application security."
Though surprised by the high percent of attacks making use of a single tool, Moyle agreed that there are many applications susceptible to SQL injection attacks and that attackers' reliance on Havij makes sense. Even with the threats to Web applications noted, he was generally optimistic about the findings in the report, particularly as the data might indicate that the initial promise of scalable cloud security services for small shops could be coming to fruition. Still, he cautioned that this is only one report that takes into account certain factors.
"Since this report doesn't cover all types of risks for every environment, it still behooves organizations to plan their cloud strategy carefully and thoroughly," Moyle said. "You can't base your decision-making on [the fact] that cloud may have certain security advantages within a certain set of constraints."