Late last week, Verizon issued its Verizon 2012 Data Breach Investigations Report, highlighting IT security issues. And while the telecom’s own summary of the report highlights the rise of hacktivism – 58 percent of data breaches in 2011 were attributable to hackers out to advance political or social agendas, the report says – there’s some good news for cloud believers like yours truly: Only around 26 percent of all data breaches involved externally hosted assets.

Verizon acknowledges in the report that there’s a problem in defining “the cloud,” but generally uses the term to mean any IT asset that’s hosted and managed by a third party. That’s as good a working description as any. But what’s really interesting here is the fact that those external data breaches, by and large, were the result of mismanaging controls such as access management- not any cloud-specific technology. In other words, cloud data breaches were largely due to improper maintenance of an access control list or an employee leaving a device somewhere they shouldn’t have.

“Do we see breaches that compromise assets in an environment that is not managed by the victim? Yes; absolutely. Do we see successful attacks against the hypervisor in the wild? No; not really. We’ve said it before, and we’ll say it again here: it’s really more about giving control of your assets and data (and not controlling the associated risk) than any technology specific to the cloud,” reads the report in small part.

Services Angle

First off, there’s a slight conflict of interest on Verizon’s part here: It owns infrastructure-as-a-service provider Terremark, so obviously this report wouldn’t talk trash about the cloud.

But I want to single out the report’s mention of attacks against the hypervisor, or lack thereof. Earlier in March, IBM highlighted how optimizing your data center by way of virtualized servers could make a facility far more efficient. But while correlation isn’t causation, this report suggests that it could be more secure as well.

And, as Wikibon analyst Bert Latamore pointed out in a recent study, “given the number of SMBs that go out of business each year after a fire in their office destroys the only up-to-date copy of their core business data, and the number of large enterprises that are years behind on installing security patches on their software, you should not just presume that your data is more secure at home.”

In other words, what this report really says is that it’s not the cloud that’s less secure, it’s that customers don’t know how to secure the cloud.