security risks in the cloud – reality, or a broken record?
TRANSCRIPT
Ted Kritsonis
Spotlight
As companies move to the cloud they must verify everything to ensure that their cloud-based vendors meet the same or higher standards. In many cases, the cloud-based application may be far more secure, but this still has to be verified firstDennis Hurst
21
Security Risks in the Cloud – Reality, or A Broken Record?
SPOTLIGHT
The cost savings of cloud computing versus the anticipated security risks: it’s the broken record that seems to be on continuous loop for security professionals contemplating their stragegy. Ted Kritsonis examines the key considerations There may have been slow movement in
getting there, but cloud computing is a
reality that is already starting to hit home for
IT professionals. One explanation for this is
that company executives are thrilled about
its positive effect on the bottom line. Others
are shunning the evolution to the cloud
because of what they perceive to be risky
security breaches just waiting to happen. Of
the two dissenting views, which is right?
When it comes to protecting an
organization’s data and assets from holes in
the cloud, the answer likely falls somewhere
in the middle under current circumstances.
Except the onus is on IT professionals to
better understand how to manage and
protect those assets in anticipation of a
move to the cloud.
Security in the CloudFor the executives, it’s hard to argue with the
potential for a huge reduction in costs, the
possibility of managing all network security
from a single point, real-time protection
without any impact on the systems, as well
as the option to outsource the service.
Even with all that in mind, those who
must worry about such things are already
moving to assess what must be done. In
order to do that, however, they need to be
clear on the distinction between ‘cloud
computing’ and ‘cloud security’, says Luis
Corrons, technical director at PandaLabs, the
virus research arm of Panda Security, which
develops cloud-based security solutions for
enterprises.
“Cloud computing is related to the
databases, customer relations management
(CRM) software and more, based in the
cloud”, Corrons says. “[This] means that the
major sensible information of the company
– that related to their customers – is based
in the cloud. To do this, they must upload
everything in the system they are using, as
in the case of a CRM or enterprise resource
planning (ERP), for example.”
Corrons goes on to say that IT managers
used to be worried about the security
JANUARY/FEBRUARY 2011 SPOTLIGHT
There are no worries about using cloud security because companies don’t need to move any data to the cloud
Luis Corrons, PandaLabs
of the company’s main data and the
threat of being intercepted when using
communication protocols. However, he says
that implementing a cloud security solution
that encompasses these concerns and
more can be done regardless of the type of
application, platform or infrastructure the
organization is using.
“In the case of cloud security, that means
all the core security processes are in the
cloud, keeping systems free of resources for
any other activities”, he says. “Every single
file that needs to be checked against the
cloud remains in the machine, and we are
only analyzing some traces of it. So, there
are no worries about using cloud security
because companies don’t need to move any
data to the cloud.”
While security services and protocols
will no doubt evolve to meet the needs and
assuage the fears of clients, there is much
to think about when it comes to developing
a strategy around deployment, says Mark
Darvill, director at AEP Networks. He breaks
down the issue of access management, as in
who can access what and from where, into
three core fundamentals.
The first is that once every device is
deemed fully compliant with security
standards, there should be an authorization
fingerprint that defines its security posture
and grants access thereafter. The second is
that organizations must protect their most
critical data with tamper-proof encryption
while being held in the cloud, and if highly
sensitive, sourcing the network traffic
should be done as well. The final element is
ensuring endpoint and application access
controls, while protecting cloud-based
data in a seamless end-to-end policy-
based solution can prevent unauthorized
data leaks from the cloud. This includes
ensuring compromised data is not placed
in the cloud from an endpoint, he says.
“IT departments must look beyond their
own corporate borders and double check
what security measures third parties have in
place to protect their sensitive data”, Darvill
adds. “Data protection is no longer just about
protecting data when it is on your premise,
so IT departments need to keep in mind
exactly who is looking after their data in both
its physical and virtual forms, and how it is
being secured.”
Money MattersDarvill adds that cloud computing
reinforces some existing challenges for
IT departments, but it doesn’t actually
present any unique ones unless companies
decide to outsource it. “Traditionally, service
providers have struggled to acquire the
latest security defenses due to a lack of
flexible pay-as-you-go pricing models.
Although this is slowly changing, it still
presents a challenge for businesses looking
to migrate to the cloud”, he says.
Part of that challenge also includes
the separation and segregation of data
issues, because resources are shared rather
than dedicated in the cloud, says George
Thompson, director at KPMG performance
and technology based in London. Data
assurance and processing will be a cause for
concern, despite the cost-benefits associated
with moving to the cloud.
Thompson feels that organizations
planning to go with a private cloud for their
apps may not re-engineer them for security
in the public space, thereby running the risk
of not being able to take advantage of those
potential cost benefits.
“The more challenging aspect is
how customers can be assured that the
mechanisms and processes behind the scenes
are effectively securing their data”, Thompson
says. “Once you get into the cloud, you don’t
really know where it is, and you are really
relying on the access control preferences
being 100% effective, so those access control
preferences need to be highly matured.”
He adds that processing sensitive data
should be done in the private cloud, except
that IT departments have to re-engineer
22 JANUARY/FEBRUARY 2011SPOTLIGHT
SPOTLIGHT
IT departments must look beyond their own corporate borders and double check what security measures third parties have in place to protect their sensitive data
Mark Darvill, AEP Networks
Some are looking into polymorphic encryption, which shows promise at being able to process encrypted data, but that technology isn’t available yet
George Thomson, KPMG
their applications, so they can weave them
into the public cloud once any issues
are cleared up. “Some are looking into
polymorphic encryption, which shows
promise at being able to process encrypted
data, but that technology isn’t available yet”,
he says.
Thompson is quick to point out that IT
professionals understand the technology,
but pushing data in the public space
is not something they are particularly
experienced in. This is why they should
make sure that the right data governance
and processing is put in place, including
provisions that ensure this is done
properly.
Cloud Security EssentialsDennis Hurst is an applications and
security specialist at HP, as well as leader
of the educational working group at the
Cloud Security Alliance (CSA), a non-
profit umbrella organization promoting
security assurance and education
on the uses of cloud computing. He
believes cloud-based security concerns
are fundamentally the same as they
are for non-cloud systems, except the
environment, architecture and level of
control change significantly.
“As an example, security audits are
a normal part of a traditional security
process, but as companies move to the
cloud properly, a vendor audit is essential
to security”, Hurst insists. “Also, service
level agreements with vendors regarding
uptime, disaster recovery and responses to
security events are critical in a cloud-based
environment, while they are typically not
part of a non-cloud based environment
since these are internal issues.”
He adds that because most of the
relationships between a customer
and vendor are governed by these
agreements, it’s arguably one of the most
critical parts of any cloud initiative. This
is vital to understanding the inherent risk
associated with managing and storing
data in a cloud-based application. A
similar one running in a data center
holds certain security measures put
in place by virtue of being inside the
corporate firewall and physically located
in a building.
“As companies move to the cloud they
must verify everything to ensure that their
cloud-based vendors meet the same or
higher standards”, Hurst says. “In many
cases, the cloud-based application may
be far more secure, but this still has to be
verified first.”
On the other hand, regulations don’t
usually prohibit or promote the use of
cloud technologies, only what must be
done regardless of where a system is
located. What matters most is that liability
for regulatory compliance still lies with
the organization deploying a cloud-based
service, including assurance that it is also
compliant. This will almost certainly require
an explicit evaluation of the security controls
in place in a company’s data center.
“Many companies are offering services
and products specifically targeted at
cloud-based systems and others are offering
their products in a cloud-based
model”, Hurst continues. “However, there are
no ‘silver bullets’ – addressing security in the
cloud requires a holistic approach that not
one product can fully address.”
SPOTLIGHT
23JANUARY/FEBRUARY 2011 SPOTLIGHT
Some have resisted the evolution to the cloud because they anticipate a risky environment for security breaches
Darvill contends that IT departments must be aware of who is looking after their data –both physical and virtual – and how it is being secured
Data protection is no longer just about protecting data when it is on your premise Mark Darvill
There are no ‘silver bullets’Dennis Hurst