New Microsoft Security Report - Implications for Cloud Computing

Microsoft has just released volume 9 of it's bi-annual Security Intelligence Report (SIR) covering the evolving threat landscape for the first half of 2010. According to Microsoft, they analyze data from more than 600 million systems worldwide and Internet services to create the report.

As I've written about here many times, issues surrounding security and privacy are among the top concerns that businesses looking at cloud computing express. This is only natural - we hear about Internet security threats in the media every day - so it's perfectly natural to wonder whether cloud computing is safe.

So with the explosion of Internet services, SaaS and cloud computing, what do you think the top real-world security threats are so far in 2010?



According to Microsoft, the largest single category of security incidents in 2010 - just like they are in every other year - involve stolen equipment, with 30.6 percent of the total. Negligence and improper disposal of business records make up the bulk of the rest. This matches my real world experience - think how many times every day that someone has a laptop, hard drive, USB stick or CD ROM stolen with valuable, proprietary of confidential information stored on it.

So what does this mean for cloud computing ?

It shows how cloud computing is inherently more secure than on-premises software.

In the cloud computing world, information is never stored on your servers or laptops or hard drives or CD ROMs where it can eventually be misplaced or stolen. Instead it is physically stored in secure, Fortune 100-class data centers where the bulk of the categories of security threats above (stolen hardware, improper disposal, lost hardware, etc) are vanishingly unlikely to occur. Your information is encrypted when it travels across the network and then it is displayed in your web browser. Your data is not ever actually stored on your PC - so if you are using cloud computing and your laptop gets stolen, that's all you have lost.

So while people are right to be concerned about privacy and security, I think this new report from Microsoft really shows clearly that if you adopt cloud computing, you become much less likely to experience many of the most common real-world security threats.

Microsoft has a second, interesting chart showing where software-related vulnerabilities come from.



While I presume that the reason Microsoft included this data is to try to make the point here that the Windows operating system doesn't really have that many vulnerabilities compared to software applications (the counter argument is of course that Windows is so ubiquitous that any vulnerability is a huge deal) there is another gem around cloud computing in this information.

If we take Microsoft's data at face value that application vulnerabilities make up the majority of software risks, then I think it's also easy to conclude that cloud computing is a great way of reducing this risk as well.

Why - because in the cloud computing world the vendors and not the client are responsible for application security. And the vendors tend to have mature security capabilities, audited practices and 24x7 operations and security teams. They have more focus on security and more resources and expertise than nearly any of the individual users of their systems.

Which is more likely - an individual business staying up to the minute on all of the latest security issues for all of their business applications, or a cloud computing vendor doing the same for a single application on behalf of thousands of businesses? Seems pretty obvious to me that it is going to be far easier for the cloud computing vendor to stay ahead of the bad guys.

I thought this was a nice piece of research from Microsoft (lots of pretty pictures by the way if you read it) - but more importantly I think that the real-world data in the report makes a nice point that leveraging cloud computing in 2010 is likely to be far more secure than running your own business applications on-premises.