Information Security

Defending the digital infrastructure


Manage Learn to apply best practices and optimize your operations.

A risk equation unravels the cloud security paradox

Is the cloud more or less secure than your current environment? How to assess your risk before moving data processing or applications to the cloud.

How many times have you heard "the cloud provides better security" or "the cloud provides worse security" than your own environment? We've all witnessed this ongoing debate countless times in recent years. Usually, the proponents on both sides of the argument take a position based on a subset of information and some presumed state of affairs in today's data centers.

The truth is, whether a cloud environment is more or less secure than your enterprise network depends on the deployment scenarios and the actual state of your existing infrastructure. Are you simply moving email and file sharing to the cloud via Software as a Service (SaaS), or storing sensitive data in a private or public cloud that requires privileged access control, compliance and encryption?

Growing risk in the cloud


The risk equation is the best way to evaluate the effect of specific cloud scenarios on IT security and risk management. Risk is a function of the likelihood that some negative event, such as unauthorized access or data loss, will occur and the expected consequences if it does occur, such as potential liability or penalties for noncompliance. The likelihood of the event is broken down into a threat component, which is the potential that a source of some online activity is malicious, and a vulnerability component, which determines the level at which a set of technical resources is capable of being compromised.

Despite heightened security concerns among IT executives, only 50% of those surveyed consulted their security teams on cloud projects "always" or "most of the time," according to the 2013 Security of Cloud Computing Users Study, conducted by the Ponemon Institute.

When security operations is tasked with assessing the change in risk posture brought about by a move to the cloud, a good place to start is by evaluating three elements of risk—threats, vulnerabilities and consequences.

When security teams access cloud risk by applying the "higher" or "lower" value to current and expected changes, many enterprise environments are likely to expect a higher level of threat.

As a security professional, you may already be objecting to how hard it is to quantify these three elements of risk. Make no mistake, any well-intentioned professional who is making decisions is quantifying these elements already, whether they are aware of it or not. What you really need to do is to compare the expected future state to the current state in fairly broad terms, perhaps even assigning a "higher" or "lower" value to the expected change in each element.

During this exercise, it's useful to consider threats, vulnerabilities and consequences separately from any expected or existing control environment. This can be a bit challenging; however the changes in security controls are assessed at a later stage.

Change in threat levels

The best way to think about threats is simply as a source of activity—an IP address or some notional version of that "bad guy" amidst all sorts of other people sitting at their keyboards. When you are evaluating threats, it's critical to consider accessibility and attacker cost-benefit. First, determine whether there will be any change in overall usage volume once an application, IT service or data processing is moved to the cloud. At the very least, volume of activity provides some insight into the chance that attackers will target these assets. (It should be relatively straightforward to determine whether a cloud resource will be available to more people.) A service that is only accessible inside an organization's environment that moves to a public cloud will see an increase in threat; one that is already accessible to the Internet is less likely to change significantly. And a private, internally hosted cloud environment is unlikely to change at all.

Things get a little more interesting when you look at the cost-benefit scenario for attackers. Attackers only attack if they believe their costs are lower than the expected benefits. Any change to a more popular platform, or one that uses common components, decreases these costs. Attackers are more likely to be familiar with the technology, so they don't need to spend time on training or research. Availability of resources is also important. A public cloud scenario, for example, that colocates many different applications with various types of data is likely to increase the perceived benefit.

When security teams access cloud risk by applying the "higher" or "lower" value to current and expected changes, many enterprise environments are likely to expect a higher level of threat.

Vulnerability assessments

Understanding the attack surface is the best way to assess the second element in the risk equation, which is the vulnerability level. This involves looking at the individual components of an application and determining whether a cloud deployment has more components that can be attacked, such as the virtualization layer.

Collateral damage means that your cloud environment may come under attack simply because its resources are shared with some other target.

Complex, distributed components bring higher vulnerability in the cloud, but if the application is important enough and hard to assess, it might be worth looking at the number of interfaces, code size, or even (shudder) system processes. Note that the number of existing vulnerabilities is not mentioned. Disclosed vulnerabilities are actually elements that impact threat (i.e., they reduce attacker costs) rather than vulnerability.

An application environment that is moving from a legacy or monolithic system to highly distributed, virtualized architecture will easily see increased vulnerability. One that is already using modern architectures is less likely to see a huge increase.

In public clouds with shared resources, it is important to understand the possibility of collateral damage, which affects both threats and vulnerabilities. In this context, collateral damage means that your cloud environment may come under attack simply because its resources are shared with some other target. A distributed denial-of-service attack against an enterprise SaaS deployment may result in other organizations being affected.

Consequences of cloud adoption

It's useful to remember that any healthy application or IT environment is growing in value at some level. This also means the consequences—the third element in the risk equation—are greater. Eventually, the increased reliance on cloud technology reduces expertise in the organization and may inhibit internal innovations that would increase efficiency. Therefore, there is usually no need to assume a significant difference in potential losses when you're comparing the existing environment to the cloud-oriented one.

Mass confusion on securing SaaS


There are, however, ways that the consequences could change significantly. Perhaps the most obvious one is in response-and-recovery costs. The ability of the responders to gain access to all appropriate logs and resources from cloud providers or other third parties may be significantly impaired during a breach incident, creating the potential for higher cost. On the recovery side, jurisdictional issues may have significant impact in legal and regulatory costs as more and more affected entities get involved. Keep in mind that organizations are responsible for the integrity of the information in any data breaches, even when the leak or compliance problem occurred because of a cloud provider or third-party vendor, and service-level agreements are in place.

Factoring in control environments

At this stage, assessing the net change in risk should be fairly straightforward. In most cases, it is likely that you will see an increase in risk. But does that mean the cloud is less secure? Not necessarily. Given the variables described, some deployments can easily be more secure or as secure in the cloud, especially when factoring in a private cloud scenario.

It's critical to understand the change in security posture, however. It is certainly reasonable to create a cloud-oriented control environment that reduces risk to a level below that of the existing environment, if only because many people perceive—probably correctly—that the risks of the cloud are higher.

Up until now, no security solutions have been factored into the risk equation. The cloud provides an opportunity to evaluate the differences in the control environment. Enterprises can and should take the opportunity to enhance authentication mechanisms, especially since more privileged users will be coming from locations outside the firewall. At the SaaS level, patches may be applied much more quickly. And an organization may also gain benefit from the security operations of the cloud provider. That is if the cloud provider's controls are applied and monitored correctly. (External cloud providers are likely not as invested in securing your network and data assets as your company's internal security operations.)

These are just a few examples, and do not factor in security costs where an organization may see a net benefit in risk, particularly if their own internal security program struggles—like many do—to maintain a high level of proficiency. The next time you hear someone say "the cloud is more secure" or "the cloud is less secure," feel free to ignore them.

Peter Lindstrom is principal and vice president of research for Spire Security. He has held similar positions at Burton Group and Hurwitz Group. Lindstrom has also worked as a security architect for Wyeth Pharmaceuticals and as an IT auditor for Coopers and Lybrand and GMAC Mortgage. Contact him via email at, on Twitter @SpireSec or on his website,

Article 3 of 3

Dig Deeper on Cloud Computing Frameworks and Standards

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All