Cloud hosted versus on premises - which is safer? The answer: “It really doesn’t matter,” according to a new report by the firm AlertLogic. A study of 45,000 security incidents over a six month period confirmed that company’s earlier finding that cloud and customer-maintained resources are about equally susceptible to attack, with web application attacks a common denominator.
“The cloud is not inherently less safe than the enterprise data center environment,” AlertLogic concluded in its State of Cloud Security Report, noting that web application attacks are a significant threat vector in both environments. “The relative occurrence and frequency of incidents between CHP (cloud hosted platforms) and enterprise data center environments has been largely consistent, with no major shifts in incident patterns over the past two years,”AlertLogic reported.
The State of Cloud Security report, surveyed 1,800 customers, most located in North America and Europe, between April and September 2012. During that time, AlertLogic identified more than one billion security events and 45,000 full-fledged security incidents, the company reported.
Debates about the inherent security of customer-maintained versus cloud based infrastructure are common within IT circles. But they’re also misplaced, AlertLogic suggests. Instead, it's vulnerable applications, not the platform on which they’re hosted, that appears to be fueling attacks.
Web application attacks were the most significant threat for cloud-hosted environments, with 52 percent of the surveyed customers impacted by them. But the figures were only slightly better among companies that managed their own application infrastructure. There, 39 percent of surveyed customers reported having their web applications attacked.
While cloud-hosted applications were slightly more likely to be attacked, the overall security picture was mixed. AlertLogic found that customers who managed their own datacenters were more likely to be targeted in sophisticated attacks, while problems like botnet infections were more common in traditional enterprise environments, where desktop systems are standard.
The majority of the web application attacks were carried out using common and freely available tools, such as Havij, which enable less sophisticated hackers to easily launch attacks, AlertLogic said.
Regardless of their choice for hosting the application, “no one is immune to web application attacks,” which take advantage of poor coding and patch administration,” AlertLogic warned. SQL injection was the most often used attack against applications, with point and click attack tools like Havij accounted for over 40% of the SQL injection attacks in AlertLogic’s previous “State of Cloud Security” report.
This isn’t new information. Veracode’s own State of Software Security report identified many of the same culprits, though it didn’t look specifically at the “cloud versus on premises” hosting issue. There, too, the data showed that SQL injection and cross-site scripting affected 40 percent and 71 percent of vendor-supplied web application versions, respectively, while only 10 percent of applications tested complied with the OWASP Top Ten list and 30 percent with the CWE/SANS Top 25 industry standards. Keep in mind, also, that those are results from a population of security-conscious companies that turned to Veracode for assistance. Its safe to assume that the data out in the much larger community of organizations with hosted and on premises applications is no better.
The remedies for the application security problem are well known at this point. AlertLogic recommends that organizations consider a combination of secure coding practices, comprehensive patch management to stay on top of exploitable vulnerabilities, and active defenses, such as a web application firewall to stop attacks.
Veracode, in its own work, found that organizations need to make structural changes in the way the write and test applications to really see security benefits. Specifically: structured testing programs - as opposed to ad-hoc testing - correlate with higher rates of participation, success and security around internally developed and third party applications.
With evidence mounting about the links between weak application coding and successful hacks and application compromises, the only question now is what it will take to get companies over the hump and on the way to better and more secure application coding, testing and deployment.