In the last few years we’ve seen wider acceptance and adoption of cloud infrastructure – not a surprise, given the benefits in cost, flexibility and scalability it brings. We’ve also heard a lot of concern about the security of the cloud model.
That’s not unreasonable – after all, it’s our job to make sure that when we move to a new infrastructure model, we’re not putting critical assets at risk. Unfortunately, a lot of the conversation has been about perceptions. For example, I recently came across this infographic with an attention-getting headline: Cloud and Mobile IT Adoption Increases IT Security Risks.
There are a lot of interesting statistics in the infographic. Sensitive data is moving to the cloud. A lot of people are having trouble keeping track of where that data is. A lot of people are worried about cloud security. What none of that data tells us is whether that data really is at risk, despite the assertion in the headline.
Over a year ago, we at Alert Logic decided that it was time to shine the light of real user data on the questions about cloud security. We’re in a great position to do that – over 2,000 organizations use our managed security services, and they’re a mix of traditional enterprise data centers on our customers’ premises and infrastructures managed by many of the largest cloud hosting providers in North America. If there is some inherent risk in the cloud model, we’d expect to see it in the threats detected by our technology and validated by our security analysts. And so last spring we published our first State of Cloud Security Report.
We’ve just released the third report in the series and analyzed 180,000 security incidents singe we began, and what’s most striking is how little has changed each time we’ve undertaken this analysis (can we use some metric of how many attacks we have seen, incidents, etc.). Simply put: the occurrence of threats (percentage of customers affected) is comparable in both environments (and actually lower in cloud hosting provider environments for most categories of threats). We’ve now analyzed over two years of data and that fundamental conclusion hasn’t changed.
There’s more in the report: Web application attacks remain the most common threat (why) that most organizations face. We’ve also looked at frequency of attacks, looked for qualitative differences in the risk profile, examined the diversity of threats encountered by customers in each environment, and drilled down into the issues affecting customers in the financial services, healthcare and software-as-a-service sectors. Below is an infographic from the report summarizing our threat data. You can also download the full report to review here.
But the bottom line is that our customers are not finding elevated risk in cloud hosting provider infrastructure.
I hope the report gives you some interesting data to consider as you make your own cloud security plans. Please reach out to us with your feedback, thoughts and experiences.