2

I have been looking for a while to find out the number of malicious attacks that have been successful against internal vs externally hosted web and SQL solutions.

When I say internal, I mean the server and resources are provided by the company, possibly with some 3rd party apps, and mostly internally built. When I say external, I mean a SaaS or PaaS such as Amazon, Paypal payments, or Azure Web and SQL. I understand that depending on how it is hosted, you may still be responsible for some security, but let us pretend that we give the responsibility to the vendor as much as possible.

We need some numbers ammunition as to why hosting in the cloud with a proper service/vendor is more secure than trying to run everything internally. We do not want to talk about the pros and cons of anything but security. This could be a company with one or two security and network experts or none. We are not talking about big IT companies with a lot of security resources.

It is entirely true that internal hosting can be more secure, but in general we believe it is not due to the number of experts within the company and the ability to track current vulnerabilities. (i.e. why do most people buy virus scanners vs building their own.)

EDIT: Let's get this more specific. Our current concern is that the data is not sensitive and cannot really be tied to anything of importance. Also, we are stuck trying to sell external hosting to older non-IT folk who will "never go to the cloud", when we believe the local solution is not nearly strong enough. We have tried to argue specific points, but none seem to stick.

Let us take the Azure platform with a website on app services and a database one SQL vs a small IT shop, be it 1-4 total employees with no more than 1 security expert (most likely none). So a comparison of a large hosting company vs a small IT team.

I found this very interesting, I just wish I could see how they were hosted. I also know that any numbers I do find will be skewed by the lack of reporting breaches and ability to track these breaches for small companies. Think data hostage situations. http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Everyone says it depends, and you are right, but where are the numbers to prove your depends? Whose to say that one truly isn't more secure than the other?

Anders
  • 64,406
  • 24
  • 178
  • 215
J. Doe
  • 29
  • 2
  • I think that asking whether self-hosting with only 1 or 2 security "experts" of unknown quality and resources are better than an unspecified SaaS or PaaS hosting solution of undefined quality is a bit too general to get good help. – Neil Smithline Jul 25 '16 at 19:17
  • 1
    I think you've embarked upon a endless mission. You're not likely to find a numbers comparison of internal vs external because I doubt it exists. Even if they *did* exist that's a figure for known and disclosed breaches; plenty of companies have malicious actors in their networks and have no idea. – DKNUCKLES Jul 25 '16 at 19:19
  • Neil, we can get into specifics but I am not sure how much this will help us. I understand it is a pretty general question and I will consider more details pending more responses. – J. Doe Jul 25 '16 at 20:09

1 Answers1

5

In a generic sense neither internal nor external hosting are inherently more or less secure on their own. Ultimately it's just a different set of trade-offs.

In both situations the amount of security controls, how they are integrated, how they are managed, and response to events could theoretically be the same regardless of location. There is a small edge for the external hosting provider in that they are likely to receive more attacks which may give them more training data for learning algorithms if they are using such algorithms in their defenses. This might make them a bit tougher or stronger in the long run.

That said, there may be many unique flaws involved with the specific ones you mentioned which may give one of those systems more weaknesses or fewer options for control implementation. Loss of access to things like NetFlow data from a switch that can be trusted when a given host has been compromised might be an example of something you may lose with some external providers. Likewise another disadvantage is that an external hosting provider will likely care less about your data than you might care about your own but even this is questionable and depends on the type of provider. I'll also point out that the current popular hosting platforms do not represent what could potentially be done if security were a companies highest priority.

A tremendous amount of security controls can be deployed on 3rd party hosting platforms. More importantly for most types of data, possibly not those involving national security issues, but pretty much everything else the level of security controls that can easily be implemented is far beyond the needs for that data. One thing to note here is that in addition to all the security hours needed to currently protect a given internally hosted platform you may need additional security hours to deal with security issues unique to the external hosting platform.

More than anything the choice becomes one of economic tradeoffs for an organization as a whole. Is it more cost-effective to host somewhere else or does the added complexity of a given platform increase the costs such that the advantages are lost. Likewise do other aspects about the platform allow a business to grow quickly ? This may be a good reason for some organizations to justify an increased expense if it helps long-term.

Ultimately it's what you make of it. External hosting means you have a business partner who in the process of outsourcing some work for you may act as the custodian of your data but you are still the data owner and responsible party for ensuring its security. This is important to note because despite any claims an external hosting provider may make the security work and responsibility for security will still be owned by your organization and ultimately your organization has to be capable of both truly understanding the risks involved and also managing these choices responsibly.

In regards to your statement:

We need some numbers ammunition as to why hosting in the cloud with a proper service/vendor is more secure than trying to run everything internally.

What if the results show the opposite due to a massive number of small companies deploying poorly secured cloud instances simply because they are cheaper ? Since it's likely a different set of demographics for who buys these it may have very little value on evaluating which is truly a more secure option.

Trey Blalock
  • 14,099
  • 6
  • 43
  • 49