Cloud Security: Why the Fear?

Talk about cloud computing, and the discussion inevitably turns to the risks of moving data and applications into cloud environments. When we produced our first State of Cloud Security Report earlier this year, our aim was simple: instead of measuring attitudes and concerns, we wanted to apply data to the question. We started with the data we gather providing managed intrusion detection services to our 1,800+ customers—a real-world look at the incidents impacting real customers, from brute force attacks and reconnaissance activity to more sophisticated Web application attacks. We’ve just released an update (you can download it here), and we’ve found similar results each time—the risk profile of infrastructure hosted with service providers, where cloud environments live, looks a bit different from on-premise deployments, but it doesn’t look riskier—in fact, for many kinds of attacks, fewer customers are affected. Given data like this, and a steady stream of news about breaches in traditional environments, why do the fears persist? There are several factors at work:

  • Control: Just as we feel safer driving our own cars than flying in airplane— even though statistically, we’re in greater danger—control affects our perception of risk. A server you can see in your own data center feels safer. Of course, ten years ago there were a lot more fears about hosted environments, but over time, the fundamental benefits of the economic model and expert management that providers bring won out.
  • Transparency: Cloud environments vary greatly in the transparency they offer around security practices and shared responsibilities. A recurring theme is that customers need to understand their agreements with providers, how data is protected, and how incidents are investigated. This is more complicated than a DIY model, but it’s required to take advantage of the efficiency and flexibility benefits of the cloud.
  • Finally, there’s security technology: Right now, the breadth of security technologies available in the cloud is more limited than in an enterprise environment (though solutions delivered as a service are more accessible, in terms of cost and management burden). This is a point that Alert Logic CEO Gray Hall made in his recent keynote at the Hosting and Cloud Transformation Summit (click here to view). As customers move to the cloud, they will demand access to security technology that can be deployed on-premises—and they’ll want it delivered in a way that’s easy to implement and use.

Just like their cloud services—because despite the fears, the benefits of the cloud are compelling. Check out the latest State of Cloud Security Report to get more insight into our view of cloud security data.