Companies moving data stores and applications to the cloud face security issues that differ from those of on-premises datacenters. These differences can be magnified by the particular cloud approach a company takes.
Themis Papageorge, director of information assurance at Northeastern University, says moving a portion of a corporate data store and selected applications to the cloud could present opportunities for attacks and increased risk over managing a corporate datacenter. In addition to managing its own hiring, training, network monitoring, and provisioning policies, the IT department needs to be aware of its service provider's policies in these areas.
"Enterprises care about risk," he said. That risk multiplies when the number of individuals with access (direct or indirect) to company data increases. Even though the potential for external threats remains basically the same -- attackers with no network credentials can attack corporate or cloud-based data -- insider threats increase with cloud services.
An insider can be anyone who has credentials to access data or physical access to the hardware on which the data is stored, Papageorge said. In a cloud environment, that could include a technician at the service provider who has access to servers or someone on the provider's help desk. Citing a recent breakdown in help desk security at Apple and Amazon, Papageorge said companies need to ask hard questions of their cloud providers about policies and procedures relating to help desk calls.
John Howie, chief operating officer of the Cloud Security Alliance (CSA), an industry group that promotes best-practices, told me cloud computing is no more or less secure than a traditional datacenter for most applications. Security threats also increase in cases where cloud providers are using virtual machines to separate customers in a multitenant environment. Servers are more vulnerable to attack and more complex to manage when cloud services collocate a company on a server that uses virtual machines to separate users from one another rather than building controls into the software.
The SaaS vendors Salesforce.com and Google, for example, have internal software controls to keep Company X from accessing the data of Company Y on the same server, Howie said. In contrast, many cloud providers rely on off-the-shelf software and the protections built into it.
Howie and Papageorge agree that someone attacking a multitenant, virtualized server could gain access to other companies' data. The attacker could achieve this by breaking through the hypervisor to gain access to a host and then attacking other guest VMs on the server.
Like datacenter security, cloud security requires constant vigilance. It's worth it to take measures ahead of time to avoid trouble.
So if you maintain critical functions in your own database, but outsource other functions to the cloud, you end up with twice the security hassles, maintaining conventional datacenter security and cloud security.
As more companies move apps and infrastructure to the cloud, it's easy to see cloud growth expanding exponentially. You say that anything that can go wrong in the data center can go wrong in the cloud. Too true, but it gets more complicated than that. If you run your own data center for your most important databases, intellectual property and other company jewels, plus utilize the cloud for less mission-critical data, you multiply the number of attack vectors significantly.
Not only must you still maintain the highest levels of security for your internal data, but you still cannot give up your obligation to protect your cloud data. You still need to ensure that data is safe and secure.
As with other security issues, simply outsourcing computing environments or applications does not relieve you of your responsibility to protect your sensitive data. It adds neither truth nor clarity. The cloud simply adds another level of complexity to the security environment that must be addressed or it can create vulnerabilities that had never been part of the risk management assessment nor planned for in your defenses.
NIST described the cloud as having a "large attack face" about 18 months ago, and I can see no reason why that's become less true. Anything which can go wrong with conventional data centers can go wrong in the cloud, and assuming cloud vendors have security covered seems to me to be a head-in-sand position.
Amazon's and Apple's call center security wasn't up to snuff; how's their cloud security?
One way that enterprise can be safe is to learn in some detail what their cloud providers are doing. IT departments go from managing technology to managing relationships with technology service providers.
Looking at it from the cloud provider's perspective, I'm not sure what else, besides contracts assuring big payouts in the case of breaches, would make customers comfortable.
Ensuring that I as a provider would be able to pay up if customers were compromised would mean I'd need a mighty big warchest.
That's one of my major concerns with Cloud security. Someone breaks in, and you're at the mercy of the provider's security team, hoping they act quickly enough to prevent disaster.
If the cloud's the way to go (let's say your own business simply lacks the resources for sufficient security locally) then I'd factor in the provider's reaction time for a disaster recovery plan.
"Cloud computing is no more or less secure than a traditional datacenter for most applications."
I was a network engineer for a large telco and had complete access to rooms full of servers that belonged to various organizations. I was only supposed to work on one set, but could have compromised several.
That would not be the case if an organization took care of its own.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Debates rage over how complex a password should be, but today some are questioning if passwords themselves are obsolete. Security consultants tell us that the longer the password and more complex it is, the harder it is to compromise. This might well be true against an attacker who is trying to break a password by hand, but against technological powerhouses, keyboard-based passwords may be insufficient.
The practice of turning to end users not only to beta test but also to reengineer products -- something once widely criticized -- has reached historic levels in IT. The trend even has a new, far more benign name: crowdsourcing.
All the recent hoopla about cloud security overlooks an important point, which is that it's not strictly a cloud problem. The linkage of online services into cooperative chains creates the risk, and only biometrics and federation of providers can save us.
Enterprises are discovering that using social networking within the secure setting of a SaaS provider's network gives them an unusual opportunity to freely collaborate with partners, suppliers, and even competitors.
Microsoft's recent decision to bundle its Office software with business partner offerings indicates that cloud software may be in the news, but licensed packages are still in demand for failover.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Multi-tenant clouds assure security for clients, but not necessarily for their ideas. Here's one thing you should discuss with your cloud provider before you sign on.
Sean Smith, a US Foreign Service IT manager, gave his life in service of his country and the world. His life and death are a humbling example for all of us who work in IT.
The Amazon smartphone rumor and the Apple mini-iPad rumor show that the mobile device giants think they have to be in all the device spaces to win. Why? Because the cloud can create an ecosystem where every device can cooperate to support the user, and if you don't supply all the devices you miss out on the total value.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
Less than a year ago, we were debating whether private or public cloud would prevail. Private cloud now appears to be a clear favorite. The reason? Organizations of all sizes are getting comfortable with cloud, and vendors are providing solutions that make the adoption of private cloud straightforward and less risky.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
