Simply Security - News, Views, and Opinions from Trend Micro

Posted on April 16th, 2012 in Current News by Simply Security | Be the first to comment | Tags: cloud computing security

Researchers discovered that cloud providers were less prone to security incidents than their in-house IT counterparts.

Cloud services have faced more than their fair share of skepticism from a variety of detractors asserting that the new technology paradigm is inherently less secure than legacy systems. The latest research from industry experts at Alert Logic may have dealt a significant blow to that argument, however, with a series of surprising empirical analyses.

The company's semi-annual cloud security report contains one of the most informative juxtapositions yet, quantitatively comparing the rate of real-world incident reported in hosted environments with those seen in traditional on-premise setups.

"Counter to conventional wisdom that infrastructure in service provider managed environments is inherently less secure, the analysis found these environments tend to face a lower level of risk than on-premise environments," report authors explained.

After observing more than 60,000 verified security incidents reported by approximately 1,500 customers in the past 12 months, Alert Logic analysts discovered that cloud systems encountered threats less frequently and faced a narrower range of threat types in comparison to in-house IT models.

Out of the seven threat categories analyzed, on-premise customers reported experiencing an average of 3.0 different types of attacks – with a small portion even citing familiarity with all seven breeds in the past year. Conversely, cloud providers faced an average of 2.1 different threat styles and none experienced more than five different threat types.

There was also a disparity in the order of most prevalent attack categories. For instance, 83 percent of teams with in-house systems faced brute force attacks, while just 44 percent of cloud providers reported similar experiences. Conversely, hosted environments were more prone to encountering reconnaissance attempts from malicious programmers.

"While security can never be taken for granted, decisions around where and how to deploy IT infrastructure should be based on fact not fear," noted research coordinator Marty McGuffin. "Our research suggests that a well managed service provider can not only match the level of security found inside an enterprise's four wall, but actually exceed it."

Perhaps the most compelling argument in favor of the cloud-hosted model was the consistent execution of best practices and clear demonstration of IT infrastructure management expertise. Even through simple improvements in architecture configuration and patch management consistency, the managed service providers were able to reduce security incidents attributed to misconfigurations by as much as 92 percent.

Cloud security advocates have continually emphasized that many of the principles of effective data protection translate to both physical and virtual environments. Themes like accountability and network visibility apply in each and often go a long way toward forging success – regardless of the unique technical considerations. But to keep the conversation moving forward, a number of panelists and guest speakers at the RSA Conference have used their platforms to promote awareness for the progress taking place in the field and spur further innovations.

All eyes were on the summit symposium held by the Cloud Security Alliance (CSA), according to Techworld reporter George Hulme, as officials reviewed recent developments and charted the course ahead.

"In the past year, there's been a dramatic increase in the rise of cloud security awareness," CSA executive director Jim Reavis told those in attendance. "I think there's a sense around the world of a bigger push to cloud adoption, and we want to help prepare the industry for the move."

Perhaps the CSA's most influential announcement at the event was its unveiling of a new innovation initiative. Distressed by a lack of widely available information and frustrated by the funding hurdles encountered by cloud innovators, project coordinators plan to target key systemic issues that are preventing the development and delivery of "built-in," as opposed to "bolted-on," security features.

Once research conclusions have been drawn, the CSA will proactively distribute concrete principles and objectives to guide IT progress. Additionally, the organization will divert its resources to help "incubate" solutions that align with its core philosophies.

“Just think of the value when you can take breakthrough ideas into a specialized security curriculum with mentorship from leaders in the industry," suggested CSA member and industry executive Jim Kaskade. "Then add capital resources, infrastructure and access to early customer funnel. This will make a huge impact.”

One of the key threat vectors to be addressed by the CSA and other industry counterparts will be mobile computing. According to Dark Reading contributing writer Robert Lemos, organizations in all sectors are struggling to balance the productivity benefits and data security concerns of highly distributed network access.

"I now have the device I can use anywhere and these cloud services I can use anywhere," security consultant Patrick Harding explained to Lemos in a recent interview. "Now IT has just lost control."

Researchers are looking to the potential of biometric authentication to add another layer of protection to vulnerable corporate mobile devices. According to Lemos, creating and vetting approved applications will also be a focus of IT teams in the coming months.

Cloud Security News from SimplySecurity.com by Trend Micro