Upload File

cloud security not a problem

1
1540-7993/12/$31.00 © 2012 IEEE Copublished by the IEEE Computer and Reliability Societies July/August 2012 3 FROM THE EDITORS John Viega Editor in Chief Cloud Security: Not a Problem T here’s a lot of fear, uncertainty, and doubt around cloud security. Accord- ing to the 2012 Cisco Global Cloud Network- ing Survey, 72 percent of IT professionals cite data protection security as a major obstacle to cloud deployments. According to Gartner, a leading IT analyst firm, less than 1 percent of enterprise email deployments in 2008 were cloud based, but by 2020, 50 percent are expected to be. It’d be a shame if misconceptions and sloppy thinking slow this down. Lile differs between cloud and traditional applications: Resource outsourcing. At least some comput- ing resources are controlled by someone else, and those resources live somewhere else. Infrastructure, operations, and physi- cal security are a concern. Multi-tenancy. While not a strict prerequi- site for the cloud by most people’s defini- tion, it’s still one of the things that makes many cloud deployments special. Scale. Because cloud applications oſten host many tenants, they sometimes scale far beyond what traditional applications require in terms of data and request rates, depending on the technologies under the hood. e first two have obvious security implications. In fact, multi-tenancy is widely cited as a big security concern: people are afraid the boundaries between application and data might break down and lead to a breach in confidentiality or integrity. With outsourcing, the primary difference in the cloud model is that most customers don’t control the key resources they might if they were hosting the application themselves. But all the same security approaches we’ve been developing for decades apply here. For instance, we can make sure the right controls are in place for reducing aack surface, ensur- ing adequate authentication and authorization, and detecting and responding to breaches. If cloud customers want to understand the security posture of the applications they’re using, they must rely on their cloud vendor to provide visibility into its controls and practices. Many vendors are starting to provide that trans- parency by publishing controls to their custom- ers, but this varies on a case-by-case basis. As for multi-tenancy, probably the biggest technical problem centers on data security— data needs to be as secure as possible while still being easy to use and access. e obvious answer to this problem is encryption, but this presents a few practical challenges. How do we perform effective key manage- ment? Do we escrow keys in the cloud, even if they’re encrypted? If so, that just moves the problem without solving it. e cloud trend seems to be toward two-factor authentica- tion with passwords and mobile phones. But there’s still a disappointing lack of pervasive, strong authentication. How can we encrypt data while still keep- ing it usable? For example, an important requirement for email archiving solutions is search. Using traditional encryption, data must be decrypted before it can be searched. Many customers won’t want the keys kept server side alongside the application. And in reality, per- formance needs could result in caching signifi- cant data in memory, unencrypted. Another alternative is to ship the encrypted data to the customer for decryption and search, which is a huge bandwidth and latency issue. Both academics and industry have been working on server-side private search, in which search can be performed without decrypting the data. is comes with some missing func- tionality (such as efficient wildcard search), but this technical challenge is largely solved. I t doesn’t make sense to compare cloud secu- rity to noncloud security, especially from a technical perspective. e boom line is that we can only make valid comparisons for a spe- cific cloud and a specific noncloud deployment. e answer to all cloud security and resilience questions ends up being “it depends”—based on the relative qualities of physical security, workforce security, infrastructure security, and application security.

Upload: sfaizullahbasha

Post on 01-Oct-2015

213 views

Category:

Documents


1 download

Report

DESCRIPTION

ieee papers for students

TRANSCRIPT

  • 1540-7993/12/$31.00 2012 IEEE Copublished by the IEEE Computer and Reliability Societies July/August 2012 3

    From the editors

    John ViegaEditor in Chief

    Cloud Security: Not a Problem

    T heres a lot of fear, uncertainty, and doubt around cloud security. Accord-ing to the 2012 Cisco Global Cloud Network-ing Survey, 72 percent of IT professionals cite data protection security as a major obstacle to cloud deployments.

    According to Gartner, a leading IT analyst firm, less than 1 percent of enterprise email deployments in 2008 were cloud based, but by 2020, 50 percent are expected to be. Itd be a shame if misconceptions and sloppy thinking slow this down. Little differs between cloud and traditional applications:

    Resource outsourcing. At least some comput-ing resources are controlled by someone else, and those resources live somewhere else. Infrastructure, operations, and physi-cal security are a concern.

    Multi-tenancy. While not a strict prerequi-site for the cloud by most peoples defini-tion, its still one of the things that makes many cloud deployments special.

    Scale. Because cloud applications often host many tenants, they sometimes scale far beyond what traditional applications require in terms of data and request rates, depending on the technologies under the hood.

    The first two have obvious security implications. In fact, multi-tenancy is widely cited as a big security concern: people are afraid the boundaries between application and data might break down and lead to a breach in confidentiality or integrity.

    With outsourcing, the primary difference in the cloud model is that most customers dont control the key resources they might if they were hosting the application themselves. But all the same security approaches weve been developing for decades apply here. For instance, we can make sure the right controls are in place for reducing attack surface, ensur-ing adequate authentication and authorization, and detecting and responding to breaches.

    If cloud customers want to understand the security posture of the applications theyre using, they must rely on their cloud vendor to

    provide visibility into its controls and practices. Many vendors are starting to provide that trans-parency by publishing controls to their custom-ers, but this varies on a case-by-case basis.

    As for multi-tenancy, probably the biggest technical problem centers on data securitydata needs to be as secure as possible while still being easy to use and access. The obvious answer to this problem is encryption, but this presents a few practical challenges.

    How do we perform effective key manage-ment? Do we escrow keys in the cloud, even if theyre encrypted? If so, that just moves the problem without solving it. The cloud trend seems to be toward two-factor authentica-tion with passwords and mobile phones. But theres still a disappointing lack of pervasive, strong authentication.

    How can we encrypt data while still keep-ing it usable? For example, an important requirement for email archiving solutions is search. Using traditional encryption, data must be decrypted before it can be searched. Many customers wont want the keys kept server side alongside the application. And in reality, per-formance needs could result in caching signifi-cant data in memory, unencrypted. Another alternative is to ship the encrypted data to the customer for decryption and search, which is a huge bandwidth and latency issue.

    Both academics and industry have been working on server-side private search, in which search can be performed without decrypting the data. This comes with some missing func-tionality (such as efficient wildcard search), but this technical challenge is largely solved.

    I t doesnt make sense to compare cloud secu-rity to noncloud security, especially from a technical perspective. The bottom line is that we can only make valid comparisons for a spe-cific cloud and a specific noncloud deployment. The answer to all cloud security and resilience questions ends up being it dependsbased on the relative qualities of physical security, workforce security, infrastructure security, and application security.


Rethinking the Security Operations Center for the Cloud & Mobile … · 2018-02-07 · Rethinking the Security Operations Center for the Cloud and Mobile Era The Problem Securing

Nailing Cloud Security With Pre-Cloud Security Thinking?

Federated Cloud Security Architecture for Secure and … · Federated Cloud Security Architecture 171 2 Cloud Security We briefly review cloud security [40] and related prior work

Navigating the Changing Cloud Security Landscape · Navigating the Changing Cloud Security Landscape Dell cloud security white paper | September 2013 As cloud security threat levels

Cloud Security - Security Aspects of Cloud Computing

Scaling the Cloud - Cloud Security

Towards a Comprehensive Security Framework of Cloud Data ... · [4], stated that data security is a problem in cloud data storage, which is essentially a distributed storage system

Cloud Insights Security : Cloud Insights...Cloud Insights Security Product and customer data security is of utmost importance at NetApp. Cloud Insights follows security best practices

Security in Cloud Computingijcat.com/archives/volume3/volume3issue8.pdf · characters. The data privacy and service availability in cloud computing are the key security problem. Single

Cloud Computing - NATO · CLOUD COMPUTING Nato problem statement •Federated, heterogeneous, coalition structure •Multi-level security requirements •National hybrid cloud strategies

SECURITY CLOUD

Enterprise Cloud Security & Storage - Cryptyk Inc · 2020-03-06 · PROBLEM WITH THE CLOUD –Centralized Storage Centralized Cloud Storage is highly vulnerable to hacking (eg: Google

Planning Guide: Cloud Security - Intel · 5 Intel IT Center Planning Guide | Cloud Security The Cloud Security Alliance, an industry group promoting cloud computing security …

Physical Security: The Security Problem

Security kaizen cloud security

Cloud Security Certification - Certified Cloud Security

Intrusion Tolerance for CT Cloud Security - RSA … · Intrusion Tolerance for CT Cloud Security . ... IaaS Security. ... method of resolving the Byzantine failure problem can be

Nebula Webinar | Private Cloud Security: Practical Solutions for a Challenging Problem

Professional Cloud security Manager - wiselearner.com Cloud Security Manager.pdf · Understanding Cloud Computing Vulnerabilities Vulnerability Vulnerabilities and Cloud Risk Cloud

CLOUD STORAGE SECURITY INTRODUCTION - SNIA Security Concerns with Cloud Understanding how Cloud services provide for the ... cloud computing environment, ... Cloud Storage Security

Cloud security: Accelerating cloud adoption

BreakingPoint® on Microsoft® Azure — Cloud Application and …€¦ · 12/07/2013  · Azure — Cloud Application and Security Testing . Problem: With Cloudification of Network

Cloud Security Alliance Guide to Cloud Security

Cloud Security ("securing the cloud")

Transforming Security Part 1: Cloud & Virtualization · Transforming Security Part 1: Cloud ... Practitioners Vendors Cloud Infrastructure ... Transforming Security Part 1: Cloud

Securing a Large Project with Private Cloud Computing · Cloud Computing Security Challenges • Addressing Security via Private Cloud ... Cloud Computing Security Challenges •

CLOUD SECURITY SPOTLIGHT - Alert Logic · concerned about cloud security, up 11 percentage points from last year’s cloud security survey. The top three cloud security challenges

Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2

Cisco Cloud Security · Effective cloud security made simple Cisco cloud security. Problem Solution Why Cisco Case studies Next steps Agenda. The way we work has changed. Has your

Cloud Security Strategies - eba.europa.euFabio+Gianotti+-+Cloud+Security+Strategies.pdf · Cloud Security Strategies ... Different approaches to cloud adoption due to ... • Evaluation

Cloud Security & Cloud Encryption Explained

National Cyber Security Centre (NCSC) Cloud Security ... · Cloud Security Principle 4: Governance 23 Cloud Security Principle 5: Operational Security 25 Cloud Security Principle

Cloud security

Identify and Neutralise - CLOUDSEC · Source: HP Cloud - Public Cloud Security Research, November 2013 . 26% had applications in cloud without approval A PROBLEM STATEMENT 9 Source:

IBM Cloud Security for the Cloud · IBM Cloud Security for the Cloud Amr Ismail Security Solutions Sales Leader – Middle East & Pakistan