On May 31, the Cloud Security Alliance released a white paper entitled “Cloud Computing Vulnerability Incidents: A Statistical Overview”. This paper analyzes published cloud vulnerabilities reported in the news media from 2008 to 2011. A total of 172 unique cloud incidents were analyzed to determine root cause and attribution. The overall mission of the analysis was to encourage cloud vendors to improve transparency of reporting. There are other several other points of interest in the report.
Over the 2008-2011 time period, the number of incidents per year increased by 370%. However the cloud market (according to Forrester) increased by 440%. So cloud vendors achieved a modest improvement in security over this period. The report also includes a pie chart of incidents by vendor, with Amazon, Google and Microsoft leading the way. A number of other large cloud vendors show up in the pie chart, but with much smaller slices of the incident pie. As the report’s authors state: “it is noteworthy to observe companies which have a large customer base but relatively lesser cloud outages”. Maybe with further reporting, we will achieve a standard of excellence in cloud reliability and fewest cloud incidents. The third item that caught my attention was the fastest growing threats, at least in the 2010-2011 time period. These included “Insecure Interfaces and APIs”, “Data Loss or Leakage” and “Unknown Risk”. Data loss and leakage will likely continue to grow. The growth in the unknown category shows that we still need more transparency in security incident reporting.
This report is a good effort in evidence based risk analysis and worth reading. Hopefully the authors will continue the research.