A new 2010 comprehensive report on data breaches by Verizon and the US Secret Service shows that most of the breaches occurred on internally located and managed systems. Many of these are database and application servers. The report says that based on their data and analysis they cannot conclude if using cloud computing and SaaS makes it less likely that a data breach will occur. This is clearly an area that requires more study.
Most of the hacking and cybercrime target systems that are worth money and easy to access. Large institutions are not the only ones at risk. That may be the largest payoff, but larger institutions tend to have more money and personnel to throw at the problem. Some smaller organizations may not have the staff or technical expertise to shore up their systems. This makes them vulnerable.
Hacking and attacks are now automated. For the most part, there is no personal vendetta against an organization. Sophisticated tools go out and probe vulnerable systems no matter where they are or who owns them. If you have a database or email server that is accessible from the internet, you are subject to attack.
This is another good reason to turn to SaaS and cloud computing. These systems are run in hardened data centers. The sole purpose of the companies that run them are to make sure they are secure and available. They use the latest in security and monitoring tools to watch for hackers and any malicious activity. Of course there is the occasional incident, like when Google GMail accounts were hacked, but this is not very common. I haven’t heard of a Salesforce.com breach or Amazon EC2 issue. If one of these companies suffered a major data breach, they might go out of business. Their customers would no longer trust them and that would be it.
Clearly more needs to be done to harden systems against attacks, but for my money I prefer to trust the professionals that do this for a living. My company uses mostly SaaS to run our business. We trust that we will get a secure and reliable service and that’s all we ask. I am not naive and realize that at some point the criminals will attack cloud environments more vigorously. But at the moment, there is still a lot of low hanging fruit out there with unpatched and vulnerable systems sitting in company data centers and computer rooms.
Have you looked at your systems lately?
Photo credit alancleaver_2000