Safer in the Cloud?

Although companies are expanding their use of cloud computing to realize improved agility and efficiencies, security concerns remain a barrier to adoption. In a recent global survey of IT professionals, Intel found that 61 percent expressed concern about a lack of control over the security capabilities of shared, virtualized data center resources.

However, those concerns may be unfounded. At least one survey suggests that applications and data are actually more secure out in the cloud than within on-premises systems.

On-premises IT infrastructure is more likely to be attacked, more often, and through a broader spectrum of attack vectors than cloud-based infrastructures, according to security vendor Alert Logic’s most recent State of Cloud Security Report. The research is based on operational data from more than 1,600 business customers with IT infrastructure in both on-premises and service provider and cloud environments. The company’s security research team analyzed the data to compare the occurrence, frequency and diversity of more than 70,000 security incidents across seven categories of security threats.

For every incidence class, the number of incidents per impacted customer was higher in the on-premises environment. While cloud providers were slightly more likely to be hit with a web application attack (53 percent to 44 percent for on-premises environments), the on-premises environments get hit with far more frequent attacks.

On-premises systems were also more likely to have been subjected to other forms of security breaches. For example, 46 percent of corporate systems were hit by brute-force attacks, versus 39 percent of cloud providers. In addition, malware slipped into 36 percent of on-premises systems, versus only 4 percent within cloud service providers’ systems.

These results indicate that improved security can actually be one of the chief benefits of moving to a cloud infrastructure. The best cloud providers have an inherently more secure environment because their systems were built from scratch using security best practices for everything from the core cloud platform to the management processes they have in place and the monitoring systems they use.

Because they provide services to large numbers of customers, cloud providers can implement strong defensive measures more easily and economically. It is also more likely that they will achieve a higher level of standardization and automation, which dramatically reduces the chances that important security patches will be missed or vulnerabilities will be introduced by leaving the wrong port open.

Still, there can be a danger of complacency with the cloud. Security is a commitment that doesn’t go away just because systems and applications are run by a third-party cloud provider. When selecting a cloud service provider, organizations should assess the provider’s security infrastructure and the ongoing management of that infrastructure.