The recently issued Verizon Research Investigative Solutions Knowledge (RISK) 2012 Data Breach Investigations Report poignantly reports that 98% of successful attacks stem from external agents. Their research of 855 incidents compromising 174 million records eclipses last year’s report of 4 million compromised records, a 4,250% increase.
Some of the more interesting, yet not surprising aspects of this report include :
- 96% of attacks were not especially difficult to execute;
- 94% of data compromised involved servers, rather than large data stores;
- 85% of data breaches were not discovered for weeks and sometimes even months; and
- 97% of breaches would have been easily avoidable if a defense-in-depth strategy had been adopted.
In stark contrast to many IT organizations’s focus on the perceived internal threat and use of social engineering tactics, the report notes that only 4% of the data breaches involved employees and that only 7% utilized social engineering as a means of gaining access to data.
The report further states that 26% of the data breaches occurred at externally hosted facilities, accounting for 45+ million compromised records. If we assume for a moment that this represents the known universe of cloud computing attacks, this assumption is alarming in of itself.
So where is the real cloud computing risk? It is my opinion that the real emerging risk lies with public cloud service providers, versus an organization’s private cloud. I believe that private clouds are no more or no less secure than conventional IT organizations. Moving data to a public cloud provider requires one relinquish a substantial amount of control over data as well as the assets in which they reside. This loss of control is where the risk gap exponentially expands.
In fact, my thoughts on this subject appear to be shared by the European Network and Information Security Agency (ENISA) and the Cloud Computing Alliance (CSA). Both have recently published guidelines on how to assess and address risk of cloud service providers. The ENISA guide, Procure Secure, co-written by HP provides excellent insight into eight monitoring parameters of security and availability. CSA’s latest version (V3.0) Security Guidance for Critical Areas of Focus in Cloud Computing included Domain 14: Security as a Service to help organizations evaluate providers of cloud based security services.
In my recent HP Expert Chat event on Cloud Protection, I cited the theory of immutability as causation to cloud computing security breaches. For example, if your data is hosted in the cloud, you no longer directly control its privacy and protection, thereby acquiescing its protection to the third party’s existing standard of care. A standard of care, which may or may not meet the criterion of your existing security program.
Where do you see the risk pendulum swinging, closer to private clouds or public clouds? I would love to hear your thoughts on the subject. Follow me on Twitter @SecureMartini for more security insights.
Read more about how HP is helping organizations address cloud computing security:
Tari Schreider has worked in Information Technology for over thirty years. Specializing in cyber-security, he deals with security issues as they relate to converged infrastructure, data center, critical facility and storage, and Cloud security. He recently partnered with HP Labs to create with and apply for a patent for Risk Management Methodology.
See the future and prepare for it. Come to HP Discover2012. You'll come away ready. Register now http://bit.ly/TSRegs