Every year the buzz grows around the Verizon RISK team’s release of its annual Data Breach Investigations Report (DBIR). 

As an incident response professional, the DBIR is one of my favorite reads.  This year’s DBIR included analysis of security concerns in cloud computing.  So for those of you interested in cloud security, this is the blog post for you! 

The report, on page 40 states:

“Because working definitions of “the cloud” are legion, it can be difficult to answer questions about how this paradigm factors into data breaches.  Do we see breaches that compromise assets in an externally-hosted environment that is not managed by the victim?  Yes; absolutely.  Do we see successful attacks against the hypervisor in the wild?  No; not really.”

The Good News:
My first comment is that we should be encouraged that the DBIR’s section on Cloud is only a few paragraphs in length versus a few pages.  This is a good sign to our industry that providers are building platforms with security at their core. 

Recently, at the IAPP Global Summit in D.C. I asked Jack Danahy from IBM to comment on the security risks of Cloud in the context of Cybercrime.  His response began with the statement:  “…unlike other industries, cloud providers know that security is their number one issue and take it seriously.” 

This year’s DBIR seems to confirm that most cloud providers are aggressively managing the risks by hardening their environments.

Mislabeled Cloud Breaches
Often times the term “cloud” is applied incorrectly to any entity that provides outsourced IT services and infrastructure.  This, unfortunately, has led to breach incidents being mislabeled as “cloud events” when they were in fact traditional data center and/or enterprise events. 

As an example, the Zappos breach that occurred in January 2012 was labeled a “cloud breach”.  Though Zappos is owned by Amazon its data center is not part of the Amazon Cloud, nor does it operate in a multi-tenant model.  Zappos’ enterprise network was breached resulting in the loss of credit card data.

Protecting the Heart
For this reason the distinction the DBIR makes regarding the lack of “successful attacks against hypervisor in the wild” is important.   The hypervisor (virtualization layer) is at the heart of cloud computing, with multi-tenancy being one of the core characteristics of a true cloud environment.  Attacks at the hypervisor level are a major concern in the information security industry and the lack of successful attacks is encouraging.  Below are two reasons on why Cloud providers have been successful in warding off attacks from cyber criminals. 

• Reason #1:  Avoid the press!  According to the DBIR, with the exception of hacktivists, most cybercriminals select targets based on opportunity and try to avoid the notorious breach.  Targeting a major cloud provider will draw significant press coverage and involvement from law enforcement groups like the U.S. Secret Service and FBI. 

• Reason #2:  Better fences!  I often tease my neighbors that I don’t need to build the perfect fence to keep the deer out of my garden… I only need to build a fence stronger and higher than my neighbor’s fence.  This would encourage the deer go after the easier “fruit” in my neighbor’s yard.  Cloud providers, with their hardened environments, dedicated security teams and strong patch management services are a “tougher” field to raid than many other organizations.

Takeaways and Targets
While the DBIR didn’t have a significant amount of content on cloud computing the content speaks volumes to members of the cloud computing community.  Even in light of the thoughts I shared above, the tremendous aggregation of data combined with the number of new providers positions the cloud market as a tempting target for cyber criminals. 

Your thoughts matter – here and now

We look forward to bringing your thoughts on the cloud down to earth.  Please share them here.