If you have attended one of my Top Ten Breach presentations you will know that the educational domains (edu) are a big target. I give several reasons:

1. The databases keep extensive identity data — financial, health, etc.
2. Attackers often have higher motivation than financial gain — pride
3. They run flat organizations with distributed security models
4. They like to share
5. Idle compute resources are plenty

I could go on. DarkReading says the trend continues with University Databases In the Bull’s Eye

The education vertical has been hit by at least three other glaring database breaches at big universities across the country during the past few months

Come to my next Top Ten Breaches presentation this fall at the RSA Conference in London to hear what has changed from previous years.

Whoa, I missed this report by Ponemon. Larry really has a knack for trying to put a very specific number on the cost of a breach. Secure Computing says he has found that Data breaches to cost more in the cloud

Incidents that involved a third party — such as a cloud computing or software-as-a-service (SaaS) provider — had a higher average cost of $152 per record, compared to $109 for incidents that occurred and were handled in-house.

PGP CEO Phillip Dunkelberger told iTnews that organisations operating in the cloud incurred higher costs because of issues to do with territorial jurisdictions, and additional investigation and consulting fees.

I do not think crossing territorial boundaries is exclusive to the cloud. Furthermore, it makes sense that working with a provider adds an additional layer of legal representation and teamwork, but that does not translate directly into more load. Larger teamwork can also mean delegation and services are more efficient, which might offset some load.

Imagine a cloud adding breach response and legal consulting to the growing list of services, especially if they have prior experience and templates for notification. With a little twist and some preparation the cost just went down again.

Oh, wait, no Ponemon says that costs more too.

The report found data breach incidents to cost 25 percent more when the remedy was managed by an external consultant or firm.

An even more sobering statistic is found towards the bottom.

The report found malicious attacks and botnets to account for 44 percent of data breaches. 31 percent of incidents were attributed to system glitches and the remaining 25 percent to negligence.

Thirty-one percent of all cases involved mistakes by third parties such as cloud computing or SaaS providers.

That says to me a vast majority of breaches did not involve third parties. Alternatively, it says that bringing in a third party has a significant chance of causing a breach due to a “mistake”. That is better than malice, but still pretty high in terms of risk. It begs the question what percentage of providers assumed liability/responsibility for their mistake?

I noticed Trend Micro has a list of the Top 5 Myths of Cloud Computing Security.

…while a provider might take responsibility for security, the enterprise is ultimately accountable in the event of a compromise or breach. It is your data.

Well said, but I do not see five in their five, I see two.

1. It is easy to transfer liability
2. A cloud is more secure because it is big

Those are big buckets, I admit. I think people should really be clear on those two myths. Trend talks the usual talk about SAS70 being a limited review, which fits into number one. They also talk about needing redundancy in IaaS providers, which fits into number two, and so on.