A comparison between on-premise and cloud environments in terms of security : With an emphasis on Software-as-a-Service & Platform-as-a-Service

Abstract: Background: Cloud- and on-premise environments have been compared in terms of security several times. Many of these comparisons based their assessments on qualitative data rather than quantitative metrics. Some recent articles have considered comparing environments by using quantitative data. These methodologies are often complicated and based on incident simulations that might not be relevant in a real-life scenario. Therefore it could be troublesome for a company to evaluate and compare two environments before deciding which environment they would prefer in terms of security. Before an environment migration, it is decisive to know if that environment has been a target for recent cyberattacks. Unfortunately, this data is not available to the public. Objectives: This study aims to provide the reader with an overview of the environmental aspects of the victims of recent cyberattacks. It will reveal what environment cybercriminals have targeted the most. The study will also propose a methodology to compare two environments to each other based on quantitative measurements. The measurements were based on cybersecurity metrics that quantified the threats in each environment. Methods: A structured literature- and dataset review was conducted to find how much each environment had been exposed to cybersecurity incidents. Several expert interviews were held to help explain the findings made in the reviews. A threat analysis was used as the foundation for the proposed comparison methodology. A case study of a recent environment migration was used to test the proposed comparison methodology. Results: The results show that on-premise environments have been more exposed to cybersecurity incidents during recent years than cloud environments. The proposed methodology showed that the cloud environment was the preferred choice in the conducted case study. Conclusions: In recent years, cloud environments have been the preferred choice in terms of security as long as the cloud consumer takes heed to best practices. There is a knowledge gap when it comes to cloud environments. It has been the same for both cloud consumers and cybercriminals. However, according to recent threat reports, cybercriminals have started to improve. Therefore there will likely be more cloud-related incidents in the future. It was determined that the proposed methodology could represent the security posture of each environment. However, a decision should not be based entirely on this methodology because it has not been tested on a large scale.