Evidence on Cloud Computing Risks

Cloud computing is still an immature business model with little evidence to support many of the claims that are made about the business benefits or security risks associated with its adoption.

Over the past two years there have been many who have commented that the cloud is less secure than traditional computing models. That using a cloud services will lead to more targeted attacks against an organisation or that vulnerabilities in virtualisation technologies will be exploited to gain unauthorised access to sensitive information. However, the Verizon Data Breach Investigations Report (DBIR) 2013 appears to provide evidence that refutes these claims. Specifically it states:

“In the 2012 dataset we saw many cases that involved devices hosted and/or managed by third parties. However, the fact that these devices were in some form or fashion “in the cloud” was not a significant cause of the data breach, nor did it cause the devices to be more targeted.

In other words, attacks against the virtualization technology were not present, but attacks against weakly configured devices that happened to be hosted in an external location were common – but not any more common than among internally – hosted ones”.

This supports my own viewpoint that organisations that have poor information security management practices will continue to be bad at implementing and managing the security of their and their customers’ information whether or not they are using the cloud.

The lack of attacks against virtualisation technology in the 47,626 security incidents in the Verizon analysis is startling and suggests that its use to segregate security domains presents no real additional risk than using physical infrastructure. This doesn’t mean that there aren’t any virtualisation vulnerabilities but it does seem to suggest that they aren’t being exploited to gain unauthorised access to information.

Whilst this is only one dataset it is significant because of the number of incidents analysed. It provides some much needed evidence about the information security risk associated with cloud computing enabling organisations to focus their security efforts where they provide the greatest returns.