When security and risk considerations play a role in determining where Internet-facing assets should reside, the inevitable questions that rear their heads are 'Are my assets safer if they're hosted with an externally hosted provider?' and, if so, 'Which provider would be safest?'
They're straightforward, but they're also tough questions to answer definitively. The data we've pulled together in our Cloud Risk Surface Report shows that some organizations fare much better in the cloud, and some fare worse.
Cyentia Institute analysis of Risk Recon security findings discovered across 18,000 organizations and 5 million hosts—both internally and externally hosted—showed that it's a horse race between the relative safety of the cloud and on-premises systems. The breakdown is a 40%/60% split between those firms that operate more safely in the cloud and those that operate with less risk on-prem.
The plotting of this data comparing safety in the cloud versus on-prem makes it clear that there's a lot of variability in that split, further muddying the waters.
Long and short of it is that without knowing a lot more about your organization and its capabilities, it'd be difficult to precisely predict where you'd fall on this spectrum.
However, there are some factors that can help winnow down the data and bring some clarity for organizations as they make important risk-based cloud choices. While none of these variables offer a clear map for picking the perfect cloud path, they offer some thought-provoking support for informed cloud decision-makers.
Organizational size does track to security exposures. Our analysis shows that midsize firms perform a little bit better in the cloud, while larger enterprises tend to manage their internal hosts better. Meantime, among SMBs—which are also the most prolific cloud users—there seems to be a statistically significant prevalence of severe security findings in high-value cloud-based assets. This could be pointing to a dangerous mix of convenience and complacency in the cloud for smaller orgs.
Our statistical modeling shows that education is the only sector that exhibits lower rates of severe finding in the cloud. Meantime, public administration, energy, retail/wholesale, and hospitality seem to be as safe in the cloud as on-prem. All other sectors, including admin/logistics, professional services, finance, real estate, manufacturing, and information technology seem safer in the cloud. Healthcare in particular has 4x to 5x more risk in the cloud than on-prem. But there are some big caveats in the data here. First of all, there's a high degree of variability within industries. And secondly, these results may be more about fitness for the cloud than fitness of the cloud. In other words, some industries might not yet be mature enough to handle the security responsibility paradigm shifts of moving the cloud.
Our research showed that within high-value assets hosted in the cloud, there exists 3x the rate of severe security findings than similarly valued assets residing on-premises. Additionally, organizations are more than twice as likely to have severe findings in at least one high-value asset in the cloud as they do on prem. However, this might partially have to do with our valuation algorithm. High-value assets tend to be more complex and contain more functionality, which could be leading to more cloud-facing issues.
In the calculus for deciding between the risk of cloud versus on-prem, reputation could change equations for organizations. We use threat intelligence data as an indicator for reputation, and the data shows that on-prem hosts are 13x more likely to be blackisted than any of the top cloud providers.
Cloud Provider Differences
Cloud choices are not just whether to go to the cloud or not with any given asset, but also which provider to use if the asset will be placed externally. Without naming names to shame low performers, our data shows that there is a 144x difference between the minimum and maximum rate of severe exposures among cloud providers. There may be a lot of correlational pull in these numbers—it might be more of a reflection of who is using the services and how they're being used than how much the provider itself impacts security. But the net-net of this factor is that not all providers are created equally and the risk equation changes depending on the service and use case.
In taking these risk factors into account, it's important for you to recognize that your organization's actions have a greater effect on your security in the cloud than what industry you are in, how many employees you have. At the end of the day, organizations must take a hard look in the mirror to make an honest assessment of other difficult-to-measure variables like IT maturity, organizational culture, business goals, and process implications of putting a particular asset into the cloud. All of these figure into the complex SWOT analysis that organizations should undergo when making cloud decisions.