In a recent blog post in IT Business Edge, Mike Vizard makes some interesting points regarding security and its impact on adoption of cloud services by IT organizations. Of particular note is the idea that cloud services are inherently more secure because they have more money to throw at better technologies and people will skills to manage them.
Yes, cloud service providers should be able to afford to invest in state-of-the-art security technologies (but that doesn’t mean they actually have), and yes, the staff of cloud service providers should have the skillset and time to properly use such security technologies (but that doesn’t mean that they actually do).
Why are on-premise environments less secure?
The Alert Logic report that was cited notes that there is no difference in the number of attacks between cloud providers and on-premise environments, but concludes that the difference between the security vulnerabilities in cloud environments vs. on-premise environments was that “on-premise systems had to contend a lot more with malware simply because the number of systems they were supporting created a much broader attack surface”. I submit it has less to do with the number of systems, since most cloud service providers probably have more systems than the typical on-premise customer, but rather that the real issue is that the on-premise environment has human computer users, and that fact is never going to change no matter where the data center resides.
Will on-premise environments always be less secure?
As more and more organizations shift their systems to cloud vendors, which means a smaller number of target groups with more targets and richer rewards, I believe that security will continue to be a major issue for cloud service providers, and unless those cloud service providers have established a high-level commitment to security technologies and the skilled staff to manage them, the risk of cloud-based services for many organizations may actually be higher than an on-premises solutions, despite the risk of social engineering attacks on human users.
Just like the Department of Defense, and certain very public-facing companies, cloud service providers will attract more activity because they will be rich targets to compromise just for the sake of having done it. In addition, consider the impact of having a consolidated collection of key corporate data from multiple corporations with a single point-of-attack. No longer does a hacker need to launch multiple attacks at multiple disparate corporate entities, but will conveniently have them all consolidated in a small number of very public attack vectors.
Why is any environment less secure?
I do, however, fully agree with Urvish Vashi’s point: “…the vast majority of security incidents are a result of systems being misconfigured in a way that makes them vulnerable to an attack.” Whether or not cloud service providers are any more immune from these risks than an internal IT Organization, is the key question, and should be part of the decision making process as to whether any given organization chooses to host in the cloud.
What should every organization do to be more secure?
To a point I made in a recent PatchZone blog post regarding responsibilities for cloud-based patch management operations, I noted that customers are ultimately responsible for the security of their systems and data, regardless of where they are or who actually does the work. Customers need to perform due diligence in ensuring that their cloud service providers DO have these security technologies, and DO have the staff capable of properly utilizing them, and CAN and WILL provide better security than can be provided by the customer, and not just blindly assume that a cloud service provider is a better alternative because the cloud service provider should have these advantages. If the customer cannot get those guarantees from the cloud service provider in the form of a Service Level Agreement, then the cloud service provider is not a “more secure” alternative.
And yes, either way, having a solid patch management policy is one component of the overall security strategy of an organization, regardless of whether a cloud employee is deploying the patches, or a local IT Administrator is doing it. Aside from the conversation about where data is stored, human users will always be attack vectors for social engineering attacks, and organizations need to have an appropriate patch management strategy, and user education strategy, for mitigating the risks caused by social engineering – which aren’t going to move to the cloud at all.