Last week I was closeted in our Cloud Adoption Contextual Research findings consolidation meeting. We were researching cloud adoption by the early adopters. We found a great variety of patterns, in some cases anti-patterns; nterprises are all over the map on risk management, for example. Perhaps this is only what one should expect from the cloud computing phenomena we’ve dubbed “the transformation of IT.”
The security non-findings were interesting. None of the large enterprises from our survey reports breaches. They’ve seen no major disasters. Implementation issues a-plenty, and some outages yes, but no “advanced persistent threat” activity. From the security perspective the migration seems to be proceeding smoothly. Concerns are holding some organizations back, but it’s just concerns. These concerns, implementation issues and architecture changes are extremely interesting in themselves – and you may expect to hear more from me on that – but they aren’t the subject of this particular blog post.
Part of me was looking for breaches, and that dog didn’t bark, at least among the 15 large enterprises we interviewed. I also looked at other information sources to see how enterprises are faring in cloud security. For example, a survey of attacks by Alert Logic reports that enterprises who use both premise-based applications and cloud-based ones are finding fewer attacks in the cloud. Does that mean the cloud is more secure than the enterprise, or just that the other shoe has yet to drop? As I’ve written before, I think some cloud service providers (CSPs) operate with stronger security controls than many enterprises, but they face a potentially more serious threat landscape long term due to the risk that’s aggregated in their volume of services. Thus, CSPs must be more secure than enterprises.
Clearly, the realization of higher cloud risk from the aggregation has yet to materialize for most large end user enterprise customers. (Notice the careful wording to exclude the likes of Sony Playstation Network, which is a service.) But one has to assume that as large amounts of sensitive and valuable IT reach the cloud they will be breached much as they are (continually) on premises. Perhaps breaches of enterprise security objectives will be less frequent in the cloud but when they happen they may be larger and more spectacular.
So far the breaches we’ve seen from Amazon, Azure, and others are mostly outages impacting our availability objectives. Bad enough in themselves, but not yet trampling enterprise confidentiality and integrity like Operation Aurora, Shady Rat, Night Dragon, and Zeus did. I mean to say that while we’ve seen forceful browsing or phishing vulnerabilities from Amazon, Google, Microsoft, and Salesforce these are still small potatoes that haven’t caused big losses. But it is inevitable that larger breaches of confidentiality and integrity will.
On the plains of the Serengeti wildebeests conduct their annual migration. Some are pulled down by predators, many survive. An interesting risk management question lies there: what is an acceptable loss rate?