Recently, Akamai's security teams have seen a large percentage of attack traffic, both volumetric DDoS and Application layer attacks originating from Cloud IaaS and PaaS services.
The reason for this is not because the cloud vendors are attacking Akamai and other targets, but because there are myriads of server instances which haven't been patched and have now been compromised.
One of the main reasons for this is the Cloud's own success in enabling customers to spin up their own Windows and LAMP servers with Joomla, Wordpress, Webmin and other tools very easily. The problem is that once the creators get the site up and running, rarely do they return to update the OS or application to the latest patch release. Virtual Sprawl is also a significant issue, as most instanced get enabled very quickly, but rarely to people spin them down when they are completed with it.
So the attacker are fully aware of this and scan the entire IP range of these cloud providers. So much so that when legitimate customers move from their physical datacentres to the cloud, they tell me they get a massive amount of probing and reconnaissance on their cloud instances. This causes a big impact on their platforms, so much so that they have to spin up more instances in parallel behind the load balancer to cope with the load.
Akamai can help block the reconnaissance and probing by cloaking the origin IP address with Site Shield, to allow customers to only allow traffic from Akamai which has been cleaned and scrubbed while blocking all other traffic from the internet.
So the more customers going to the Cloud, the more customers that require an intelligent cloud security platform to provide the additional protection with DDoS mitigation, Application Security, resiliency, performance, efficiency and offload of their cloud platforms.