1. More Companies are in the Cloud. Fewer enterprises are asking “should I use the cloud?” and more enterprises are asking “how should we secure our cloud-based data and applications?” as the cloud becomes a viable alternative to on-premise systems.
2. The Cloud is Not Inherently Less Secure. The data continues to show that the cloud is not inherently less secure than on-premise systems. However, a company’s approach to the cloud can severely impact its security (see item 6 below).
3. Security Events are Increasing. Not surprisingly, attacks against both on-premise systems and cloud systems are increasing.
4. Threats are Evolving. Threats that were previously deployed almost exclusively against on-premise systems are gaining traction in the cloud environment. Examples of these are malware and botnets (although malware in the cloud remains dramatically lower than in on-premise systems). Other types of attacks that were previously much more common against on-premise systems are increasingly being deployed against cloud systems; for example in mid-2012 brute force attacks were used against on-premise systems 49% of the time but only used against cloud systems 30% of the time. The number is still 49% for on-premise systems, but has rocketed to 44% for cloud systems, a jump of 14 points.
5. Systems in Europe and Asia are Primary Targets. Interestingly, cloud systems in Europe are attacked 4x more frequently than cloud systems in the US, and cloud systems in Asia are attached 2x more frequently than cloud systems in the US. This is surprising, given that systems in the US contain information at least as valuable as systems in Europe and Asia. Alert Logic offers a couple theories to explain the differences:
a. European systems might be a staging environment for European hackers, allowing them to test their strategies closer to home before deploying them against servers in the US.
b. Asia tends to run a higher number of pirated and unpatched copies of Microsoft products, and the attacks in Asia were overwhelmingly targeted at those vulnerabilities.
It would be helpful to have more research in this area to see if other factors, such as IP blocking by US cloud providers or fierce rivalries among European companies, also play a role in these numbers.
6. Security is a Process. Security in the cloud is different than on-premise security, but some enterprises don’t fully grasp and manage those differences. To maintain a secure cloud system, enterprises must understand the security of applications they deploy into the cloud, clearly define the roles and responsibilities of the cloud provider vis-a-vie the enterprise, and control the unauthorized use of cloud-based resources by employees and groups in the enterprise.
Things to Consider
This last point around security in the cloud is absolutely essential for companies to consider when developing their cloud strategies. As part of this process, the company should focus on two high-level questions: (1) does the company understand its own application security limitations and the cloud hosting provider’s security capabilities, and (2) what processes does the company have in place to avoid “Shadow IT” security concerns? I cover these in more detail below.
Application Security vs. Hosting Security
First, does the company understand the security holes in its own applications, and can it work with the hosting provider to close those holes?
On this topic, the report states:
“This makes it an absolute necessity that customers educate themselves on their business and application requirements for security and compliance, map these requirements to the right [cloud hosting providers], and source the right products and build the right processes to manage events, incidents and ongoing security in the cloud. It’s also important to note that cloud providers differ in their default security settings. Some take an ‘all doors closed’ approach, while others default to requiring users to define their own security (i.e., there is no security protection by default)” (p. 12).
Companies should have two frank discussions about security when shopping for a cloud hosting provider. The first discussion should be internal in the company so everyone understands the security aspects of the applications and how that security relies on the hosting environment. The second discussion (or set of discussions) should be with cloud providers to understand their infrastructures, security architectures, and associated processes. A security exhibit should be attached to the hosting contract that describes what is expected of both parties and imposes limitations on changes by the cloud provider that would adversely impact the security of the company’s application. The cloud provider might balk at including anything that limits its ability to make changes to its environment, so an alternative is to require the provider to maintain an environment that is at least as secure as the environment provided as of the contract date. One disadvantage of this alternative approach is that if the application itself has any vulnerabilities, a change to the environment might open those vulnerabilities. For that reason it is essential that the hosting provider give advance notice to the company of any system changes that might impact security.
Policies to Avoid “Shadow IT”
Second, does the company understand and have a policy against employees using unauthorized cloud resources? As the Alert Logic report notes, this is sometimes called “Shadow IT” since it essentially uses the cloud as a replacement for the company’s information technology (IT) department. These resources frequently include online storage (e.g., Dropbox, Box, Google Drive, SkyDrive), online office tools (e.g., Google Docs, Live Documents), web-based email (e.g., Gmail, Hotmail, Zoho), survey tools (e.g., SurveyMonkey) email marketing (e.g., MailChimp) and CRM tools (e.g., Zoho, Salesforce.com).
This is not to say that those resources should never be used. However, if they are used it should be with the knowledge of the company’s IT department. A friend once told me about a company that kept electronic copies of its management meeting minutes on a hard drive in a locked filing cabinet accessible to only one person. Unbeknownst to everyone, one of the executive members would routinely scan his copy of the minutes and put those copies on Dropbox. This practice was discovered months later when the executive was showing a board member some family photos on Dropbox and the board member noticed a number of minutes scattered among the various files. Needless to say, the IT department did not approve Dropbox for confidential information and soon the minutes were deleted.
Creating and maintaining a current cloud-usage policy is important, but equally important is ensuring that employees are educated about the risks involved with certain cloud products and services. Many companies have discovered that blocking access to Dropbox is not enough since employees can often find a variety of ways to circumvent those limitations and use the service in spite of the block. Instead, companies should look for ways to allow employees to use those resources without putting company data at risk. This might mean installing an encryption tool so anything added to Dropbox is encrypted, or setting up a Dropbox clone on the company system.
One of the major themes in the Alert Logic report is that “organizations cannot rely on legacy approaches to security to support their cloud infrastructure” (p. 3). This is true at the application level, hosting level and personnel level – everything must be reviewed and reevaluated with respect to cloud security. Contracts should clearly define the security roles and responsibilities of both the company and the cloud hosting provider, and employees should be educated on safe cloud practices. With these precautions in place, companies will have more protection against the increasing number of security events in the cloud.