Data is Safer in the Cloud than on Your Network

“Cloud environments may be safer than on-premise environments,” said Rohit Gupta, VP, Business Development for Alert Logic. He was referencing a biannual study on cloud security that Alert Logic released this month. We spoke at the VMworld 2012 conference in San Francisco.

The cloud’s questionable security has become such a super hot topic that just the endless discussion of it alone has become something of a joke.

Gupta, who works for a security as a service company, noted that we have a strong discrepancy between what is truly secure and what we think is secure. We believe on-premise is secure because we feel we have a greater sense of control, given that the data is behind the company’s firewalls and on our network. In a cloud environment, users think they have less control.

“It’s a myth, because on-premise can be more compromised or more likely to be compromised than a service provider’s network,” said Gupta who points out that a service provider has to supply security to many customers and is bound by a series of compliance requirements that a company’s on-premise network may not have to adhere to.

In addition, attacks are not equal between on-premise and cloud environments. For example, brute force attacks are more common against corporate networks than service provider networks since they have tools to prevent DDoS attacks, said Gupta.

“[Service providers] must have more stringent controls and processes than corporations have on their own network,” Gupta said.

Additional security benefits of cloud operations include more talent looking at problems and the architecture of a virtual network aids in maintaining security, said Gupta.

Web applications are the target

Companies go to the cloud to deliver Web applications. Web applications haven’t been designed with a lot of security in mind and that’s where the attacks are happening, said Gupta.

What Gupta discovered is that the tools used to hack these applications are freely available open source tools originally designed to help developers test applications.

Related Lin

What’s the most over-hyped issue in security? (Hint: it’s white and fluffy) [Spark Minute]

Comments

  1. BY Thomas Knight says:

    The title of this article is “Data *IS* Safer in the Cloud…”, but note that Gupta uses the more accurate “Cloud environments *MAY* be safer…”.

    He says “…on-premise can be more compromised or more likely to be compromised than a service provider’s network”. Note the operative word “can”. What actually happens depends on what is actually implemented, doesn’t it?

    Gupta says “[Service providers] must have more stringent controls and processes than corporations have on their own network”. But he should say they must have more stringent controls and processes than corporations ARE ALLOWED TO have on their own network. Again, it depends on what’s actually implmented. Nothing says that the in-house data keeper is barred from meeting those same requirements, or even using *stronger* security practices than those required of a cloud provider.

    In the final analysis, it comes down to a security risk profile *based on what is actually implemented*. And that depends on whether an organization is willing to take a best-practices approach that’s at least as good as what’s required of cloud providers. Only when we consider the comparison of external versus internal options on this equal footing can we make a fair assessment of which presents more risk. When we do this, we will find that the answer depends on many things, and requires case-by-case consideration, making a general rule thus unattainable.

    One thing is for certain, though. We must admit that our assessment of the cloud provider will always include some degree of unknowns, and therefore risk, by virtue of its externality, that we simply don’t have internally. And the weight of that in your analysis is up to your organization, alone.

    All of the above is already known (or should be) by anybody whose job includes the consideration of security, though. So the bulk of what Mr. Gupta is telling us is nothing new.

    Cloud technology is just another tool in our toolbox. So let’s please stop with the cloud hype, okay?

  2. BY David Spark says:

    Thomas, you’re very right and yes the use of the verb “Is” in the title was leading and sounded definitive, but not the article itself.

    And yes, there is a lot of hype on cloud security, and yet he was trying to offer a view that you shouldn’t disregard cloud out of security concerns which sometimes happens as you and I know.

    If you’re annoyed by the hype around cloud, make sure you click the link at the end of the article and watch the video. I think you’ll be amused.

  3. BY Noah Chesterman says:

    Meh, the cloud is perfectly secure for some things. Say the encrypted backups from xyz company, perfectly safe, MUCH safer than a tape backup in a half hour fire safe, and more safe than many other options. Is it the ideal for virtual servers, web apps, etc.. Meh, a multitude of factors to debate; I would put it back on the user, do your due diligence, look up your provider options.

    Recent talk that is also worth looking at, basically sums up the it’s your fault if you don’t investigate your cloud provider and work within their framework to protect ‘your own property’.

    http://www.irongeek.com/i.php?page=videos/bsideslasvegas2012/1.2.1-andrew-hay-matt-johansen-applications-and-cloud-and-hackers-oh-my

Post a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>