'Pure' Public Clouds Found More Secure than Hybrid, Private
Contrary to some widely held expectations, public cloud environments suffer from significantly fewer security attacks than on-premises, private cloud or hybrid cloud environments.
That's one of the key findings in cloud security vendor Alert Logic's most recent "Cloud Security Report" (available here with registration), which analyzed data from nearly 4,000 Alert Logic customers from August 2015 to January 2017.
According to Co-Founder Misha Govshteyn, since Alert Logic first began releasing its cloud security findings in 2011, the company has observed -- but not officially concluded -- that security attacks have tended to occur at lower frequencies in public cloud environments compared to on-premises. Based on the findings in the 2017 report released this month, this pattern is now worth putting on record.
"For several years, we have observed that across the industry, security incident rates in public cloud environments are lower than they are on-premises. Though we have chosen not to highlight this in past Cloud Security Reports, we've confirmed this perception over time by close analysis of our own data. With years of observations and a clearly established pattern in hand, we are now confident in concluding that public cloud environments have lower observed incident rates than on-premises data centers," Govshteyn wrote in the report's executive summary.
Over the 18-month period represented in the 2017 report, Alert Logic found that organizations running pure public cloud environments each experienced an average of 405 security incidents (the company defines an incident as "an event or group of events that have been confirmed as a valid threat warranting further investigation, analysis, and possibly response"). The researchers did not notice an appreciable difference in incident frequency between Amazon Web Services (AWS), Microsoft Azure and other public cloud vendors.
In comparison, on-premises environments experienced an average of 612 incidents per organization, a 51 percent higher rate.
Hosted private cloud environments fared even worse, experiencing 684 incidents per customer. And, perhaps most surprising, hybrid environments averaged 977 incidents per customer -- 141 percent more than public clouds.
Alert Logic attributed the poor performance of hybrid environments to the notion that combining public and private clouds potentially expands an organization's attack surface, as well as exacerbates the weaknesses of each type of implementation.
"It's possible that installations combining public and on-premises components catch the worst of both worlds -- not as lockstep in receiving updates as all-public installations, not as carefully attended as on-premises installations with dedicated staff," Govshteyn wrote.
As a caveat, he did note that any data relating to hybrid clouds is muddled by the fact that there is no real industry consensus on the definition of "hybrid," an observation that has been borne out in other studies, including a recent Stratoscale survey indicating that over three-quarters of IT pros define "hybrid" in one of two ways: "the ability to move workloads between private and public cloud," but also "the concept that different workloads belong in different public and private environments."
That said, public cloud platforms like AWS and Azure do offer proven security benefits to organizations, such as the ability to isolate applications inside virtual private clouds (VPCs). This limits the ability of a single compromised application to infect the rest of the environment. "There is less opportunity for attackers to move laterally, or to launch attacks able to unfold rapidly into enterprise-wide calamities," the report explained.
Public clouds also typically provide "better security mechanisms and easier administration," according to Alert Logic.
Despite their findings, the researchers warned businesses not to be lulled into a false sense of security when it comes to the public cloud. "Lower incident rates do not necessarily translate to lower risk -- especially when, as is increasingly more common, businesses rely on the public cloud to handle their highest value assets," Govshteyn said.
In short, according to the researchers, organizations should feel confident in migrating even critical applications to the public cloud, but they must not forget to implement best security practices.