Is ‘Web Security in the Cloud” more secure?
Aberdeen has released a study (underwritten, in part, by McAfee and Symantec) with the headline:
Web Security in the Cloud:
More Secure! Compliant ! Less Expensive
Their conclusion is interesting:
Drawing on the findings from multiple benchmark studies on best practices in content security and security software as a service, Aberdeen’s analysis shows that users of cloud-based web security had substantially better results than users of on-premise web security implementations in the critical areas of security, compliance, reliability and cost. Compared to companies using on premise web security solutions, users of cloud-based web security solutions had 58% fewer malware incidents over the last 12 months, 93% fewer audit deficiencies, 45% less security-related downtime, and 45% fewer incidents of data loss or data exposure.
As usual, it is necessary to look under the covers.
- The Aberdeen research brief focuses only on web security. It does not address web application security, although they say “nearly half of all reported vulnerabilities are related to web applications”. The report describes web applications security as “vulnerabilities and exploits that are specifically related to web applications and their supporting frameworks, application servers, web servers, database servers, and computing platforms.”
- The results, and the conclusion described in the study’s headline, are based on the results of Aberdeen’s earlier Safe Email study. I will let you decide whether that justifies the conclusion and claim, since more than email is (potentially) put in the cloud
- The study’s results are based on an analysis of 36 organizations using on premise web security solutions and 22 using cloud-based web security solutions.
- Is that a sufficient sample size? Perhaps
- Will you be using the cloud in the same way? The only security measure that matters is the security of your operations, relative to your use of the cloud and the security mechanisms you have in place
Even with these limitations, I believe this is good news. Every organization should carefully assess the risks and make an intelligent decision before they move operations to the cloud, and ensure they have an appropriate level of security and privacy protection. But, it is good to see that vendors of web-based security are making good progress.