Powerpoint exploring the locations used in television show Time Clash
Removing the Cloud of Insecurity
1.
2. State of Cloud Security Report | Spring 2012
www.alertlogic.com
Removing
The cloud of
insecurity
State of Cloud Securit y Report Spring 2012
State of Cloud Securit y Report
Executive Summary 2
Methodology
Analyzing Real-World Data 4
PERCEPTION VS. DATA
Is the Cloud Really Insecure? 5
Incident Identification 6
SUMMARY OF RESULTS
Just the Facts 7
STATISTICS
Incident Occurrence and Frequency Rates 8
conclusions
The Alert Logic Perspective 9
WRAPPING UP
The Data Tells the Story 10
APPENDIX
Data Tables 11
1
3. State of Cloud Security Report | Spring 2012
www.alertlogic.com
State of Cloud Securit y Report
Executive Summary
Gartner surveyed While there is clearly a heightened perception of risk in the cloud,
are these fears supported by empirical data? The customers and partners
m o re t h an
300
of Alert Logic demand an answer to this question. This report is the first in
a series of twice-yearly, data-driven analyses in which Alert Logic examines
security trends across traditional on-premise and service-provider-managed
environments. Alert Logic utilizes real-world security findings to understand
the foundational differences between the classes of threats encountered in
cloud computing
traditional on-premise deployments versus those found in service provider
users, asking them environments where cloud and hosted infrastructures are managed.
to rank their top
three concerns. In analyzing the state of security, Alert Logic draws on security data from real
end-user environments, both on-premise and managed by service providers,
NEARLY from its base of over 1,500 customers. In this report, the Alert Logic Security
50 % Research Team utilized twelve months of security event data captured from
July 2010 through June 2011. Security incidents were identified through a
combination of automated correlation and validation by certified security
analysts. It should be noted that the sample is composed of data from
of respondents customers who are making an active investment in security. As a result, the
identified service findings of this report may represent security-aware organizations and any
conclusions drawn based on the data should be understood in that context.
provider security as
their primary issue.1
Tier1 Research’s 2011 report
on the hosting market
RISK INCREASES WITH SIZE AND DIVERSITY
indicates that the majority
of enterprises consider
securing infrastructure as
the most problematic
aspect of the cloud.2
risk
ON-PREMISE
SERVICE
PROVIDER FIG. A
1
Gartner Global IT Council for
Cloud Services report (2010)
2
Tier1 Research Global
Managed Hosting Market size and diversity
Overview (2011)
2
4. State of Cloud Security Report | Spring 2012
www.alertlogic.com
Key Findings: What does this mean for security
Findings from this study show that while there are differences between the management decisions, especially
classes and pervasiveness of incidents experienced in the on-premise and in the context of migrating
service provider environments, those differences may not necessarily line up infrastructure to hosted and
with general perceptions about security: cloud deployments?
S
ecurity fears should not
• When compared to traditional in-house managed IT environments, service
prevent organizations from
provider environments show lower occurrence rates for every class of taking advantage of hosting and
incident examined. cloud services. While security
management is a critical
• Service provider customers experienced lower threat diversity (i.e., the issue when choosing a service
number of unique incident classes experienced by a customer) than provider, the decision should be
based on a review of actual risks,
on-premise customers.
not perceptions that are not
supported by data.
• On-premise environments were twelve times more likely than service
provider environments to have common configuration issues, opening Service providers, who tend
the door to compromise. to have detailed, repeatable
management processes and
infrastructure configurations,
• While conventional wisdom suggests a higher rate of Web application
provide a good model for
attacks in the service provider environment, Alert Logic found a higher enterprises committed to
frequency of these incidents in on-premise environments. maintaining on-premise
infrastructure.
Part of the difference in risk level observed in these two environments can be
Service providers should focus
explained by relevant IT surface area. While service providers often manage tens
their security management efforts
of thousands of servers and applications across multiple data centers, they are on the threats most prevalent
composed of vast numbers of individual customer or tenant environments. Each in their environment, while
individual customer environment tends to have fewer application types residing continuing to manage to best
practices to create secure, highly
on server-based operating systems (OSs) with tightly controlled network access,
available environments.
resulting in a relatively small relevant surface area for attack. In contrast, on-premise
enterprise IT deployments tend to have a larger surface area due to their more IT decision-makers should
diverse environments characterized by a broad array of OSs and applications, consider the benefits and risks
of each model when deciding
along with desktops, mobile devices and more network entry points.
which workloads and applications
to deploy in service provider
environments and which to keep
on-premise. In turn, internal
resources can focus on the
security posture of the area for
which they maintain management
responsibility.
3
5. State of Cloud Security Report | Spring 2012
www.alertlogic.com
Methodology:
Analyzing Real-World Data
This report provides a comparative quantitative analysis of the classes and
frequencies of incidents encountered in on-premise environments vs. service
provider environments.
The analysis for both the service Alert Logic utilizes a patented The service provider cohort is
provider and on-premise cohorts expert system that evaluates seven composed of hosted and cloud
is based on incident data detected factors in determining if one or environments managed by one of
in actual customer environments more network-based events elevate the Alert Logic service provider
secured by Alert Logic, not to the level of an authentic security partners.
from surveys, lab environments, incident (See Fig. D). Further, a
or honeypots. Alert Logic team of GIAC-certified security These providers include
captures security events in these analysts reviews each incident to more than half of the top 30
environments through network- ensure validity and to confirm the service providers headquarted
based, signature-driven intrusion threat or compromise, providing in North America and are listed
detection systems (IDS). To correct an additional layer of scrutiny to in the appendix.
for noise and false positives, minimize false positives.
The on-premise cohort represents
environments deployed on the
customer’s premises. Alert Logic
visibility across on-premise customers come from a
multiple environments FIG. B broad range of organizations,
cutting across all verticals, with
a concentration of enterprises in
highly regulated industries such as
health care, finance, energy and
retail/e-commerce. As expected,
on-premise deployments were
typically larger than service
provider deployments, featuring
a broader set of applications and
operating systems. The majority of
both cohorts are located in North
America and Western Europe.
Service Provider On-Premise
4
6. State of Cloud Security Report | Spring 2012
www.alertlogic.com
PERCEPTION VS. DATA:
Is the Alert Logic customer DATA set
Cloud Really FIG. C
Insecure?
Improved agility and financial
benefits have driven the growth of
the Infrastructure-as-a-Service (IaaS)
model. However, a perception
remains that IaaS offerings from
service providers pose greater
security risks than traditional
on-premise deployments.
While there is clearly a heightened
perception of risk, do managed
and cloud environments hosted by
service providers actually experience
different classes of threats, or
different frequencies of incidents? ON-PREMISE? HOSTED? SERVICE PROVIDER? CLOUD?
As providers of Security-as-a-Service
How Alert Logic
to over 1,500 organizations with categorized its customer data
IT infrastructure housed either in
on-premise environments or with
For its analysis, Alert Logic has
managed service providers,
categorized security data into
Alert Logic draws on an extensive
two environments: on-premise
warehouse of security event data
and service provider. On-premise
to examine this assumption and
customers own and manage
is uniquely poised to assess the
their own IT infrastructure.
validity of popular beliefs regarding
Service provider customers are
the relative security of service
an aggregation of all customers
provider environments.
utilizing Infrastructure-as-a-
Service solutions from a service
provider, spanning from the
elastic cloud to managed or
dedicated hosted environments.
5
7. State of Cloud Security Report | Spring 2012
www.alertlogic.com
Incident Identification
2.2 B i ll i o n
security events observed
ALERT L OG IC SE CURIT Y I NCID E N T CATE G ORI E S
INCIDENT CLASS D E F I N ITIO N EXAMPLES
during the study period were Application Attack Exploit attempts against applications Buffer overflow
automatically evaluated and or services that are not running over
correlated through Alert Logic’s HTTP protocol.
expert system and reviewed by Brute Force Exploit attempts enumerating a large Password cracking
number of combinations, typically attempts
Alert Logic’s security analysts.
involving numerous credential failures.
m o re t h an
62,000
Malware/ Malicious software installed on a host Conficker, Zeus
Botnet Activity engaging in unscrupulous activity, data botnet, command
destruction, information gathering and control botnet
or creation of backdoors. Included communication
in this category is botnet activity: activity
i n c i d en t s post-compromise activity displaying
were verified and classified into characteristics of command and control
communication.
seven incident categories.
Misconfiguration Network/host/application configuration Missing patches and
issues that introduce possible security writable anonymous
EVENT VS. INCIDENT vulnerabilities, typically a result of FTP directories
inadequate hardening.
Event : Evidence of suspicious
behavior detected via an IDS signature. Reconnaissance Activity focused on mapping the Port scans and
networks, applications and/or fingerprinting
Inc ident: Validated threat services.
deemed to require a response, identified
by correlating one or more events. Vulnerability Scan Automated vulnerability discovery Unauthorized
in applications, services or protocol Nessus scan
Example: A single port scan is an event. implementations.
A series of port scans over time from a
host recognized as an attack source is Web Application Attacks targeting the presentation, SQL injection
Attack logic or database layer of Web
an incident. applications.
FIG. D Incid ent I d en ti fi cati on Approach
THREAT
IDENTIFICATION AUTOMATED EXPERT
SYSTEM ANALYSIS
CERTIFIED
SECURITY ANALYST
EVENTS REVIEW INCIDENTS
More Than
2.2 Billion
62,000
6
8. State of Cloud Security Report | Spring 2012
www.alertlogic.com
SUMMARY OF RESULTS:
Just the Facts
To assess whether on-premise and service provider
environments experience different levels of risk,
Alert Logic evaluated three factors:
Occurrence: The percentage of customers in each cohort These measures, in combination, help define the critical
experiencing each class of incident defined in the Security elements of a security program. The class and frequency
Incident Categories chart. Customers are included if they of events help determine the core elements of a program;
experienced a specific class of incident at least once higher threat diversity requires a more complex and
during the study period. involved security program to adequately protect assets.
Frequency: The average frequency of incidents, by class, Analysis of these three factors shows that even in security-
for impacted customers, indicating how often customers conscious environments, virtually every environment will
experience an incident of a particular category. encounter meaningful threats. Further, service-provider
managed-environments encountered more favorable
Threat Diversity: The threat diversity in each group, results in all three of the criteria analyzed in this report.
i.e., the number of unique incident classes (of the seven It should be noted that some of this could be explained by
categories reviewed) encountered by the customers the differences in size and platform diversity of cloud vs.
in each cohort. on-premise environments.
The rate of occurrence in an The frequency of experienced The threat diversity for
on-premise environment is more incidents is higher for on-premise on-premise environments is greater
likely to be greater than the environments across most of the than the threat diversity for service
occurrence rate for service provider threat categories. provider environments.
customers. This observation is
true for all threat categories.
Top Three FIG. E OCCURRENCE: FIG. F
Incident Classes PERCENT OF ALERT LOGIC customers
experiencing security incidents
By Class of Incident
Web Application Brute Force Reconnaissance
Attack
Brute Force Web Application Vulnerability
Attack Scan
7
9. State of Cloud Security Report | Spring 2012
www.alertlogic.com
STATISTICS:
Incident Occurrence and Frequency Rates
While service-provider-managed The most significant spread was
environments encountered lower found in malware/botnet incidents. Threat diversity:
rates and frequency of security On-premise environments were
incidents across all categories, overwhelmingly more likely to
there are notable differences in encounter such incidents in their Threat diversity is the third
the data. Alert Logic observed environments when compared element that Alert Logic analyzed.
a far greater percentage of to service-provider-managed While a lower threat diversity by
misconfiguration-based incidents environments, with 43% of on-premise itself does not mean an inherently
in the on-premise environment. environments versus 2% of service- less risky environment, a higher
provider-managed environments.
threat diversity indicates that a
The average number of broader set of attack vectors are
misconfiguration-related Both on-premise (71%) and service
at play.
incidents per impacted provider (65 %) customers are highly
likely to have experienced Web
customers are roughly
application attacks, and impacted DISTRIBUTION OF FIG. H
equivalent: 3.0 instances UNIQUE THREATS
customers in both environments were
in hosted/cloud, 4.0
likely to have experienced a high 30%
on-premise. However, number of such attacks over the
Mean: 2.1
Percentage of Environments Impacted
12% of on-premise period of study (on-premise 46.6, 25% Mean: 3.0
customers experienced service provider 32.4).
a misconfiguration incident 20%
while only 1% of service Brute force incidents are even
provider customers did. more commonly experienced in an 15%
FREQUENCY: FIG. G on-premise environment than Web
10%
NUMBER OF INCIDENTS application attacks, with 83% of cus-
PER IMPACTED CUSTOMER tomers receiving an average of 47.3
5%
By Class of Incident such attacks. While brute force inci-
dents in the service provider realm are 0%
significant (44% of customers experi- 0 1 2 3 4 5 6 7
July 2010 - June 2011
enced them), the difference between Unique Threat Classes Encountered
0 10 20 30 40 50
Web the two environments is surprising.
Application Attack Service Provider On-Premise
With more public-facing targets
Brute Force (websites) in the service provider Alert Logic found lower threat
environment, the reverse might have diversity in service provider
Vulnerability Scan
been expected. environments than in on-premise
Malware/Botnet
environments. During the period
Vulnerability scans are observed
Application Attack of this study, service provider
among 37% of service provider
customers averaged threats in
Misconfiguration customers and 54% of on-premise
2.1 categories (out of the seven
customers.
Reconnaissance categories analyzed), while
on-premise customers
Service Provider On-Premise experienced 3.0.
8
10. State of Cloud Security Report | Spring 2012
www.alertlogic.com
conclusions:
The Alert Logic Perspective
A belief persists that service provider OPPORTUNITY TO improve FIG. I
environments are less secure than security posture
on-premise environments, but this is
simply not supported by Alert Logic data.
Alert Logic analysis indicates that service provider
environments tend to be less prone to a broad range
of security incidents than on-premise environments.
risk
Further, service provider environments tend to experience ON-PREMISE
a narrower range of attack vectors. Possible explanations
include the presence of more standardized system
configurations in the service provider world, a narrower SERVICE
range of use cases among service provider customers, PROVIDER
and the relative maturity of the IaaS industry.
size and diversity
It’s not that the cloud is inherently
Fig. I represents a conceptual framework for thinking
secure or insecure. It’s really about about these differences. While service providers manage
the quality of management applied vast networks with tens of thousands of servers and
applications, the relevant surface area a prospective buyer
to any IT environment. of IaaS solutions should consider is that of the individual
customer environment. In Alert Logic’s experience, those
individual customer environments skew to a smaller and
While this data certainly casts doubt on conventional
simpler footprint as measured by a number of nodes and
wisdom and concerns about security in the service
applications, and breadth of operating systems. In contrast,
provider environment, Alert Logic does not believe that
on-premise environments managed by the typical enterprise
it leads to a simple “service provider vs. on-premise”
span a much broader array of endpoints, applications and
conclusion. While we observed differences between the
operating systems.
two environments, we believe that there are several
factors that help explain these variances:
Service provider environments, with smaller deployments,
inherently avoid some of that risk and therefore are a
• The typical size of a customer/user in each environment
good choice for appropriate workloads.
• The types of workloads found in each environment
Organizations making decisions about cloud and hosted
• The diversity of each environment infrastructure can exploit these differences to improve
their security posture and make the most effective use of
• The presence of user endpoints in the on-premise
IT resources.
environments
All of these differences speak to the relationship between
risk level and IT surface area in any environment.
9
11. State of Cloud Security Report | Spring 2012
www.alertlogic.com
Smart enterprises should they wish to let someone else handle Security management is not a
take advantage them. Selection of a service provider discrete goal to be achieved and
of the service provider model should include careful evaluation considered complete; it is an
for certain workloads. of the security policies and solutions ongoing process that is fundamental
that are available from the providers to providing IT infrastructure
Those workloads can take advantage under consideration. management as a service.
of the service provider’s highly repeat-
able configurations and processes and Service providers must be
demonstrated ability to manage to aware that while they benefit WRAPPING UP:
best practices (evident in the far lower
misconfiguration rates observed).
structurally from more limited The Data Tells
and well-defined workloads,
These characteristics allow service
providers to very effectively manage enterprise security concerns the Story
security for a focused set of threats. will not disappear.
For example, a Web-based server With security visibility into both
Lower threat diversity today doesn’t
application and related databases mean that service providers will not on-premise and service provider
containing sensitive customer data face increasing threat diversity in the environments, Alert Logic findings
may be a good fit for migrating future. To protect against leading offer a unique perspective on
to a hosted or cloud environment. threat vectors, service providers are managing IT security. Whether in the
The segregation of server-based best served by focusing time and cloud or an on-premise environment,
applications and assets from energy on the most pervasive risks effectively securing IT infrastructure
a diverse and porous on-premise in their customer environments: Web is largely about the quality of
network with numerous mobile application attacks, brute force and management:
clients and desktops, which are often reconnaissance. In addition, service
targets of highly prevalent malware providers should continue to build • Focusing on basic hygiene,
and botnet infection, can create an on their demonstrated competence Web application security and
inherently more secure environment in managing to best practices around configuration issues
for that application. At the same time, fundamental security hygiene, such
in-house IT resources can focus on the as configuration management and • Strategically isolating
unique challenges in their environment. operating system hardening. workloads in the most
Service-provider-managed appropriate environment
environments are not magic By utilizing strong product
bullets and not all are management disciplines to determine • Building and maintaining
which IaaS solutions are offered security expertise for workloads
created equal.
and supported, service providers can retained on-premise
Alert Logic data and experience play a role in minimizing the threat
suggest that much of the improvement diversity in cloud environments Despite the widespread
in risk profile in the service provider by limiting the IT surface area for perception that the cloud
customer data comes from a lower potential attacks. Managing security presents an increased
complexity and diversity and better programs requires service providers security risk, fears that
management of the basics, most to maintain continued visibility
the cloud is inherently
notably configuration management. into the threats encountered by
insecure are not supported
The primary decision an enterprise customers and continuous
by the data.n
must make is whether they wish to improvement in identifying and
replicate those best practices or if defending against those threats.
10
12. State of Cloud Security Report | Spring 2012
www.alertlogic.com
APPENDIX:
Data Tables
OCCURrENCE: Percent of Customers THreat diversity: DISTRIBUTION
Experiencing Security Incidents OF UNIQUE THREATS
By Class of Incident SERVICE THREAT SERVICE
Jul 2010 – Jun 2011 ON-PREMISE ON-PREMISE
PROVIDER DIVERSITY PROVIDER
Web Application 0 9% 0%
65% 71%
Attack
1 27% 20%
Brute Force 44% 83%
2 27% 23%
Reconnaissance 42% 51% 3 21% 22%
Vulnerability Scan 4 14% 18%
37% 54%
5 2% 11%
Application Attack 3% 9%
6 0% 5%
Malware/ 2% 43% 7 0% 2%
Botnet Activity
Misconfiguration 1% 12% Mean No. of Threat 2.1 3.0
Classes Encountered
FREQUENCY: Number of Incidents per Service provider partners
Impacted Customer INCLUDED IN STUDY
By Class of Incident SERVICE
Jul 2010 – Jun 2011 ON-PREMISE SERVICE PROVIDER PARTNER WEBSITE
PROVIDER
Web Application ATOS Origin atos.net
32.4 46.6
Attack CyrusOne cyrusone.com
Brute Force 22.4 47.3 Datapipe datapipe.com
Vulnerability Scan 21.8 22.9 DediPower dedipower.com
Malware/ Hosting.com hosting.com
8.4 28.1
Botnet Activity
Hostway hostway.com
Application Attack 6.2 6.2 Internap internap.com
Misconfiguration 3.0 4.0 Latisys latisys.com
Reconnaissance 2.4 10.1 LayeredTech layeredtech.com
LogicWorks logicworks.net
Megapath megapath.com
Top three incident cLASSES
NaviSite navisite.com
SERVICE PROVIDER ON-PREMISE OpSource opsource.net
Peer1 peer1.com
1. eb App. Attack (65%)
W 1. Brute Force (83%) Rackspace rackspace.com
Sungard Availability Services sungardas.com
2. Brute Force (44%) 2. eb App. Attack (71%)
W
Visi visi.com
3. Reconnaissance (42%) 3. Reconnaissance (54%) Windstream windstreambusiness.com
11