Cloud Services Face Different Security Threats

Alert Logic has examined the idea that the cloud is less secure than an on-premises enterprise data center and found it wanting. Both are about equally risky, it concluded, although the nature of the risk is different in each site.

Alert Logic is a security-as-a-service supplier to both on-premises locations and service providers in the cloud. That puts it in a position to examine 70,000 security incidents arising from over 1.5 billion security events occurring over the last year to its 1,600 customers. It analyzed data from the incidents to determine the nature of the risk at each type of site.

Alert Logic's study, "State of the Cloud Security Fall 2012," might have been skewed in favor of the cloud providers because many of Alert Logic's customers are experienced data center companies likely to have strong security practices. They include: SunGard, the disaster recovery specialist that has gone into cloud services; Rackspace, generally considered the runner-up to Amazon Web Services when it comes to providing infrastructure-as-a-service (IaaS); Internap Network Services, the colocation company and content delivery network; and Datapipe, an IaaS and managed services supplier. But the high profile of these companies also ensures that they garnered attention from some of the most virulent malware makers.

"Service provider-managed environments did not encounter a greater level of threats than on-premises environments. All factors in the analysis supported this conclusion," including types of incident, frequency of incidents, and diversity of threats assailing each type of environment, concluded the study.

[ Want to learn more about what constitutes the chief security threats from a federal IT point of view? See Federal IT Survey: Hacktivists, Cybercriminals Are Top Threats. ]

And while some industries, such as public electrical utilities or financial services, might fear being targeted by skilled hackers, Urvish Vashi, VP of marketing at Alert Logic, said "most attacks are not targeted" at a specific company or industry. They occur almost equally across industry groups, indicating attackers "are looking for vulnerable targets rather than selecting specific organizations to attack." The opportunistic nature of attacks was reinforced by the high level of reconnaissance activity--searching for backdoors, open network ports, etc.--through which an attacker might enter. They occurred across all industry groups, rather than, say, being concentrated on financial services.

Web application attacks, where attackers use toolkits that try to take advantage of an application's known vulnerabilities, such as a buffer overflow exposure, were common to both service providers and on-premises data centers. But they were more frequent among service providers, where 53% of those examined had experienced one. For on-premises data centers, they occurred among 43% of the customers.

But on-premises data centers tend to run a wider variety of applications and operating systems, meaning that those that were attacked would face a larger number of threats, an average of 61.4 such attempts versus 27.8 for service providers.

The opposite was true when it came to brute-force attacks, where malware attempts to gain access through a power penetration program such as password cracking. Forty-six percent of on-premises facilities experienced such attacks versus 39% of service providers. The frequency of such attacks leaned heavily toward on-premises facilities, which averaged 71.7 per customer, versus service providers, which averaged 42.6 per customer.

Those were the two most common attacks experienced at either location. Also common among service providers was the number three threat, the reconnaissance attack, where an agent scans for open ports or attempts to pick up the fingerprint of a running application on a particular network. With such information, the attacker hopes to later find a vulnerability. Thirty-eight percent of service providers experienced such an attack during the six-month period covered by the study. But such attacks were less common on premises, where 32% of customers had experienced them.

The number three on-premises threat came from intrusive malware and netbots, such as the Conflicker and Zeus bots that try to take command of desktop communications. Thirty-six percent of on-premises customers had experienced such attacks, compared to only 4% of service providers.

Vashi said the number of security incidents in each environment lead Alert Logic to conclude there was little security advantage to one over the other. On the contrary, the different types of attack experiences match the different profiles of service providers and on-premises data centers. The service provider is a server-dominated environment with few end users, but relatively rich in application targets, leading to more reconnaissance attacks. The large number of end users in on-premises environments leads to more attempts to crack desktops through Trojan horses, bots, and other malware.

Vashi said IT staffs in both types of environments attempt to keep the environment protected from outside threats, but he gave an edge to service providers, whose task may be somewhat simpler and directly tied to their survival as a business. They tend to supervise large sets of similar servers, running identical or a few closely related operating systems. "The difference is a smaller IT footprint and attack surface," he said. Service providers in some instances are rigorously implementing best security practices, due to the exposed nature of their business.

On-premises IT has a more complicated task of keeping a wide variety of operating systems and applications up to date with patches and may have more points of entry as IT tries to adapt to the many types of computers and handheld devices that it is trying to support. On-premises sites are more likely to have a misconfigured system running somewhere that has (at least momentarily) been lost track of.

"While there are many factors to weigh when deciding whether to move infrastructure to the cloud, an assumption of insecurity should not be among them," the study concluded.