Cloud Talk

Andre Yee

Cloud Computing Security Risks - Are They Real?

user-pic
Vote 0 Votes

Security is the cloud computing issue that won't go away...nor should it. For all the paradigm shifting promise of cloud computing, security is still a concern for many IT managers.

Here are a few real issues that few are talking about but are vitally important to grapple with -

Encrypting Data-at-Rest - Alex Stamos, a prominent BlackHat researcher raised this challenge for cloud computing providers. Stamos' point is not only that many cloud providers do not offer encryption (true) but also that there are inherent challenges in producing sufficiently random encryption keys. Fascinating stuff that you can read here if you're interested.

Don't miss the the bigger point though - while much attention is given to network security (firewalls/IDS), no one is talking about the need for securing data-at-rest in a cloud environment...and we really should. Depending on the kind of data you're dealing with, it may not be necessary to require encryption for all corporate data. However, the need to encrypt critical data-at-rest like access information (usernames, passwords), privacy related and corporate sensitive information is a must. As a consumer of cloud based services or applications, you need to ask the right questions and demand the right answers from your provider.

Security Policy Control. Here's an area where cloud computing security has to grow up. For cloud computing to go mainstream beyond SMB market, it must offer IT organizations the ability to enforce corporate policy. This policy control ranges from the simple daily policy issues (like enforcing rules to ensure "strong" passwords) to the more complex (like conducting security related forensics) and everything in between. Many cloud providers fail to offer the kind of granular policy control that many organizations require.

The Human Factor - what about the people who keep the cloud running? Does your cloud provider conduct background checks on all the individuals who have access to your data? By the way, do you know who specifically has access to your data? How about policies that govern who can and cannot see your data? The point is that most security breaches are not about arcane attacks but really about social engineering and negligent or lax policies. This is why I firmly believe every consumer of cloud based applications and services should demand their providers to be SAS 70 audited. If nothing else, this ensures transparency and consistency of policy enforcement.

So much more to say here but these are enough to get the conversation going.

What do you think? Do you have SaaS applications or use cloud based services in your company and have you accounted for these issues? What other big security issues have I left out?

7 Comments

You probably heard about the Twitter hack last month.
http://blog.talkingidentity.com/2009/07/the-twitter-break-in-anything-to-learn-here.html

http://www.techcrunch.com/2009/07/14/twitters-ev-confirms-hacker-targeted-personal-accounts-attack-was-highly-distressing/

As you mention under policies a strong authentication, access control strategy must be in place especially for cloud providers that have a huge attack surface. Cloud-based "identity service providers" are popping up to federate identities and offer SSO to cloud apps but I wonder when the strong(er) authentication comes in.

Jeff - the Twitter hack was a wakeup call to many companies that leverage social networking tools. As you correctly stated - the bigger issue is that social networks are another cloud based app with a significant attack surface and it'll only get bigger with increasing API support

Andre - in the Twitter hack what was more interesting than the social networking aspect of Twitter was the hacker managed to break into Google Docs and Gmail which Twitter corporate was using for collaboration. The focus was on the "cloud applications" provided by Google to Twitter execs that were hacked. Twitter corporate just happened to be the victim. So in the end, Yes, cloud computing security risks are real.

With people working in a mobile enterprise, it all comes down to security. Think of it in terms of a castle. Everyone used to live within the confines of the castle where everything would be monitored. Now, not only have people started to move out of the castle, but they are traveling around the world where they can’t be supervised. At one time the traditional firewall and perimeter used to pose as the mote and reinforced drawbridge to keep out intruders, but the castle is now vulnerable to siege at a moment’s notice. Portable devices such as laptops, netbooks, and smartphones open the draw bridge for substantial security breaches. This need for protection is the King’s main concern.

It’s no secret that portability has become essential when accessing information in the business world, but there is a considerable amount of risk associated with mobility. The Federal Trade Commission estimates that business data losses, as consequence from data theft and identity theft, amount to almost $50 billion annually.

And to further emphasize the necessity for security improvements, Price Waterhouse Cooper conducted a study in 2008 of more than 7,000 IT and information security professionals with CIO and CSO magazines worldwide. They found that “71% of respondents stated their organizations do not maintain an accurate inventory of where high-value data is stored.?*

When this data is lost or stolen, the results are catastrophic. It can lead to lawsuits, loss of a loyal customer base, fines from government agencies, and worse, leave immense weakness to the company’s systems. We live under the assumption that compliance regulations will keep us safe, but the truth is that standards set by the industry leave us with a false sense of security.

So can you ever have too much security? No. With a virtual landscape that changes daily, it’s critical to stay more protected today than you were yesterday.

Indeed, physical security will be a problem , companies providing these services should guarantee that also..

David - thanks for sharing your thoughts. I'm not sure I agree with your last comment about never having too much security. I think security is about risk management, not risk elimination. At some point, every business finds an acceptable point of risk tolerance and they build their security policies and architecture around this risk tolerance

That said, I have for years talked about the disruptive nature of combining "cloud apps" with end user mobility - it can potentially disintermediate the network security models currently in place in most enterprises today.

Andre

Completely agree with your post. PivotLink just achieved a SAS 70 Type II certification for the entire service. This has been important to quite a few customers that have data covered by HIPAA regulations and also to certain IT departments that want to demonstrate that they made right choice with due diligence when they selected PivotLink for BI needs.

What is your perspective on SaaS vendor security as compared on on-premise? Is one better than the other - in general?

Andre Yee blogs about cloud computing, SaaS, Web 2.0 and other emerging technologies that matter to businesses.

Andre Yee

Andre Yee is an entrepreneur and technologist with nearly 20 years of experience in the business of technology.

Recently Commented On

Categories

Monthly Archives

Blogs

ADVERTISEMENT