Cloud computing security: Is it safer than on-premises?

Author: Paul Gillin

Cloud computing security has long been a matter of hot debate. More than a decade after the first infrastructure-as-a-service platform was launched, people are still asking the question: Is data more secure in the cloud than on-premises?

The issue has gained urgency since the coronavirus pandemic forced many businesses to move to the cloud as a matter of survival. The shift was already proceeding at a rapid rate. A survey conducted by Flexera indicated that 59% of enterprises are expecting to go beyond their plans for cloud usage due to COVID-19.

By most accounts, security for major public cloud platforms matches that of world-class enterprise and government data centers, but attackers can still get through. Cloud assets were involved in about 24% of breaches last year, according to Verizon's 2020 Data Breach Investigations Report (DBIR). While that figure is dwarfed by the 70% of breaches that struck on-premises environments, it indicates that moving to the cloud is by no means a solution to breaches and a focus on cloud computing security is still a high priority. Before shifting workloads to the cloud, executives need to understand the risks and responsibilities. In most cases, the biggest risk is the person at the keyboard.

Data center security

The traditional boogeymen of the data center—hacking, social engineering and malware—are in long-term decline. Taking their place are phishing attacks, use of stolen credentials and vulnerabilities caused by human error. According to the DBIR, over 80% of breaches categorized as hacking involve brute force attacks or use of lost or stolen credentials.

Verizon researchers believe that's because cyber criminals have turned their attention to credential theft with the belief that they can enter a system through the front door, instead of leaving through an open back door using malware.

Of particular concern to on-premises data center operators is the prevalence of web application hacks, which exploit vulnerabilities in the software used to run websites, and account for nearly 90% of the top hacking vectors in successful breaches, according to the DBIR. Given the growing use of e-commerce applications today, it's unlikely that these vulnerabilities will become any less serious.

Fortunately, the steps to protect against exploits are well known. Multi-factor authentication, which requires users to present a second identification method beyond a password, is rapidly gaining traction. It's a simple and relatively inexpensive technique that can prevent more than 99% of account hacks, according to Microsoft.

Stolen credentials also account for most web application attacks, according to Verizon researchers. The other main vulnerability is unpatched server software. Researchers discovered that websites susceptible to one unpatched vulnerability were also likely to be open to many more, making them easy pickings for attackers. Again, the solution is well known: have a systematic approach to applying patches in the priority of their importance.

Cloud computing security

The biggest threat to security in the data center is also the biggest threat in the cloud: people. “Through 2025, 99% of cloud security failures will be the customer’s fault”, according to Gartner.1 In the DBIR, misconfiguration errors soared from about 15% of exploitable errors in 2018 to more than 40% last year. Delivery errors, in which sensitive information is sent to the wrong address, declined somewhat but still comprise more than 30% of all errors. Human mistakes are now the third most common cause of breaches, behind social engineering and hacking and ahead of malware.

The frequency of such errors has only increased with the use of the cloud. Users who lack the training to apply appropriate security controls may upload data and inadvertently leave it in the open.

Part of the problem may be that some users have become too complacent about cloud security. Most cloud services operate under a shared responsibility model in which platform providers secure the infrastructure while customers are responsible for locking down the software stack and applications. Users still need to patch vulnerabilities and control access to cloud accounts.

Is the cloud more secure than on-premises? Yes, for what the cloud is meant to do. But, cloud computing security still relies on responsible behavior on the part of both parties.

Learn about these vulnerabilities and more in Verizon's 2020 Data Breach Investigations Report.

1 Smarter With Gartner, Is the Cloud Secure?, October 10, 2019, https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/