Would you believe us if we said data from our new Cloud Security Report shows that hybrid cloud implementations have a 141 percent higher rate of security incidents than a pure public cloud environment? Because that’s what we found. It may seem surprising, but it is consistent with our findings that risk is cumulative and that combining networks just expands the attack surface. This is just one of the interesting discoveries we found in the latest Alert Logic Cloud Security Report.
Companies of all sizes and across all industries have migrated to the cloud. There are a variety of benefits that come with moving servers, data, and/or applications to the cloud, but the cloud also comes with some inherent risks. Alert Logic analyzed millions of our customers' security events and incidents gathered from around the world over 18 months to gain a better understanding of the general state of cloud security, and the specific challenges and threats that companies need to be prepared to defend against.
One underlying fact we can distill from the Cloud Security Report is that it's the very things that make the cloud valuable, that also make it vulnerable. Servers, data and applications in the cloud are available from almost anywhere, which also means they can be attacked from almost anywhere. Applications in the cloud exist to be executed, and data in the cloud exists to be accessed, but being in the cloud also exposes them to malicious execution or potential data breaches. Alert Logic developed the Cloud Security Report (CSR) to analyze and understand the vulnerabilities so organizations can minimize exposure to risk while taking advantage of the things that make the cloud valuable.
Alert Logic co-founder and Senior Vice President of Products and Marketing, Misha Govshteyn, kicks off the Cloud Security Report with, “Why is the sky blue? What is the meaning of life? Why did the chicken cross the road? Is the public cloud really less secure than on-premises data centers? No one has answers to many of these eternal questions, but we can shed some light on that last one – we have no indication that public cloud is less secure. In fact, there is an increasing body of evidence to the contrary.”
The CSR is the result of comprehensive analysis of more than 30 million security events gathered from nearly 4,000 customers around the world between August of 2015 and January of 2017. The goal of the CSR is to shed light on techniques and trends in terms of how attackers are working to compromise cloud resources. It is also to help companies identify where they may be weak or exposed to these threats so they can take proactive steps to be more secure.
Organizations that are already leveraging the cloud or considering migrating to the cloud need to address the question of which resources should be maintained on-premises as opposed to the cloud, or perhaps a hybrid solution that combines the two. For the things that are moved to the cloud, companies need to determine whether a public or private cloud is a better choice. In order to make any of these decisions effectively, though, business leaders need to have relevant information about the advantages and risks of each.
When it comes to securing cloud resources, you need to know where the weak spots are and how attackers are targeting cloud assets. CMS and eCommerce platforms, cloud-based databases, web applications and other cloud assets are all at risk. However, you have limited security resources to work with—whether its budget, manpower, or time—and you need to understand where attackers are focusing their efforts so you can allocate those resources effectively to provide the best possible protection.
Ultimately, the Cloud Security Report supports the recommendation that organizations accelerate migration to public cloud. Moving to the public cloud offers a unique opportunity to reduce your attack surface and re-architect for better security. The benefits of public cloud are real, and the CSR provides substantiated, data-driven analysis to help you focus your defenses.
It’s a mistake to assume that public cloud is somehow impervious. Lower risk is very different than no risk at all. Our analysis does not conclusively prove that a public cloud is more secure. All we can say for a fact is that within our customer base over the 18-month period we analyzed we saw a significantly lower rate of security incidents in a public cloud environments despite running similar workloads in other hosting environments.
Read the full Cloud Security Report to get more details on the findings from Alert Logic’s comprehensive analysis of security events and incidents.