Companies moving data stores and applications to the cloud face security issues that differ from those of on-premises datacenters. These differences can be magnified by the particular cloud approach a company takes.
Themis Papageorge, director of information assurance at Northeastern University, says moving a portion of a corporate data store and selected applications to the cloud could present opportunities for attacks and increased risk over managing a corporate datacenter. In addition to managing its own hiring, training, network monitoring, and provisioning policies, the IT department needs to be aware of its service provider's policies in these areas.
"Enterprises care about risk," he said. That risk multiplies when the number of individuals with access (direct or indirect) to company data increases. Even though the potential for external threats remains basically the same -- attackers with no network credentials can attack corporate or cloud-based data -- insider threats increase with cloud services.
An insider can be anyone who has credentials to access data or physical access to the hardware on which the data is stored, Papageorge said. In a cloud environment, that could include a technician at the service provider who has access to servers or someone on the provider's help desk. Citing a recent breakdown in help desk security at Apple and Amazon, Papageorge said companies need to ask hard questions of their cloud providers about policies and procedures relating to help desk calls.
John Howie, chief operating officer of the Cloud Security Alliance (CSA), an industry group that promotes best-practices, told me cloud computing is no more or less secure than a traditional datacenter for most applications. Security threats also increase in cases where cloud providers are using virtual machines to separate customers in a multitenant environment. Servers are more vulnerable to attack and more complex to manage when cloud services collocate a company on a server that uses virtual machines to separate users from one another rather than building controls into the software.
The SaaS vendors Salesforce.com and Google, for example, have internal software controls to keep Company X from accessing the data of Company Y on the same server, Howie said. In contrast, many cloud providers rely on off-the-shelf software and the protections built into it.
Howie and Papageorge agree that someone attacking a multitenant, virtualized server could gain access to other companies' data. The attacker could achieve this by breaking through the hypervisor to gain access to a host and then attacking other guest VMs on the server.
Like datacenter security, cloud security requires constant vigilance. It's worth it to take measures ahead of time to avoid trouble.
These recommendations and best-practices from the SANS Institute and McAfee's security blog may help you protect your data in the cloud.
— Stephen Lawton is a longtime technology journalist and industry pundit.