Is your cloud provider secure?
That question, the basis of a TechSec forum in February, came to mind again this week with the release of Alert Logic’s “State of Cloud Security Report—Fall 2012.” The company, a provider of security solutions for the cloud, issued the report after analyzing more than 70,000 security incidents among 1,600 business customers.
Among the key conclusions was that “on-premise IT infrastructure is more likely to be attacked, more often, and through a broader spectrum of attack vendors than cloud-based infrastructures.” The report also cited a higher incidence of “brute force attacks and reconnaissance attacks” in on-premise environments.
The findings echo one of the points made at TechSec: While many security companies don’t trust their data in the cloud, having it on-site doesn’t guarantee it’s going to be safe.
“[Cloud] security is far greater than open data systems,” said TechSec panelist Brian McIlravey, co-CEO of PPM 2000, a manufacturer of incident reporting and investigation management software. “The enterprise-class cloud is very secure. Third parties that hold data take it very seriously—we don’t want it accessed any more than you do.”
McIlravey stressed due diligence when selecting and moving data to a cloud provider, including asking for certification and knowing what is covered in the service-level agreement. He said the same scrutiny should occur internally in the company that is moving data off-site.
“The cloud provider must have certification, but you should be asking the same questions of your IT group,” McIlravey said, referring to data access, encryption and other safeguards.
Due diligence aside, skepticism could well linger in the security industry because of the “myth” that the cloud isn’t as secure as on-site environments, said Stephen Coty, research director at Alert Logic.
“[It] is a stereotype that has prevented the industry from focusing on the real issues impacting enterprise security,” he said in a news release announcing the fall 2012 report. “Rather than falling victim to perception-based beliefs, businesses should leverage factual data to evaluate their vulnerabilities and better plan their security posture.”