understanding the challenges of cloud computing security

8/6/2019 Understanding the Challenges of Cloud Computing Security

http://slidepdf.com/reader/full/understanding-the-challenges-of-cloud-computing-security 1/12an Security eBook®

Understanding the

Security Challenges of Cloud Computing


http://slidepdf.com/reader/full/understanding-the-challenges-of-cloud-computing-security 2/12

2 Enterprise Cloud Computing: Risk and Economics

4 Cloud Computing Faces Security Challenges

6 Cloud Computing Requires Security Diligence

8 Three Steps to Secure Cloud Computing

10 How Cloud Computing Security Resembles

the Financial Meltdown

4

8

2

6

10

Contents…

This content was adapted from Internet.com’s Enterprise IT Planet, eSecurity Planet, CIOUpdate, and Datamation websites. Contributors: Sonny Discini, David Needle, RobertMcGarvey, and James Maguire.

Understanding the Security Challengesof Cloud Computing



2 Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.Back to Contents


veryone is talking cloud these days, andwhy not? The o erings are maturing, andthe bene ts are starting to appeal tothose who want to solve enterprise risk

and economic issues still on the table. Things like pay-per-use models now have us looking at how we assess

hardware and so tware costs. You can now pay or onlywhat you use instead o buying aull application suite. But can the

economic and risk actors driveenterprises over to ull clouddeployments?

A New Way of DoingBusiness

As I just mentioned, theenterprise now has a new wayo looking at the economicso operational IT. This extends

rom core apps right downto enterprise security. Cloudcomputing is better at optimizing capital investmentsbecause it enables lower capital investments in hardware,so tware, and real estate; instead o investing in them,enterprises procure cloud services. This signi cantlylowers total cost o ownership, which traditionally hasbeen a signi cant cost to the enterprise.

When we think o large enterprise IT, we cannot let goo the old assumption that it is slow to move when itcomes time to make a change. Cloud o erings maycrush this old adage. Cloud computing typically requiressigni cantly less time and e ort to provision additionalresources or existing applications or new resources

or new applications. The straight orward procurementmodel and use o shared in rastructure also leads to

greater agility o the cloud computing model.

Another area where costs have been traditionally highhas been in IT talent. Cloud models will allow theenterprise to tap talent pools or a raction o the cost o retaining in-house sta . This will give IT pros heartburn,

but or those who are able to shi t on the fy, IT pros willbe able to turn their ocus tosolving business problems. Theenterprise can then ully ocus onbusiness objectives and allocatemore resources to solve businessproblems, even the ones thatwere practically insolvable within-house sta . From anotherangle, the cloud model nowgives small organizations

access to IT services and talentpreviously out o reach. Thesmall organization now has theability to tap the same level o talent and services as the largeenterprises.

You Cannot Shift Risk

Cloud computing o ers computing architectures andinnovation potential never be ore seen in large and smallenterprises. It is important to understand that risk doesnot evaporate in the cloud; nor does it shi t to the cloudprovider. Enterprise security pro essionals have beenwaving the red fag to C-level executives interested inmigrating to the cloud. Questions must be asked such as:

• Which risks related to service reliability,availability, and security arise?• How much control can the user exert over the

EEnterprise Cloud Computing: Risk and Economics

By Sonny Discini





services provider?• What control must be given to the provider andwhat trust assurances exist?

Given that cloud models are new, even with the SLAsprovided today, an enterprise can quickly nd that whatit thought it was getting may not be the case at all. Legaldepartments are also seeing cloud issues or the rsttime, so it is extremely important to involve all enterpriseteams when looking at cloud contracts, potentiallitigation exposures, and o course security risks.

Cloud computing o ers signi cant bene ts to theorganization in terms o economics, agility, innovation,simplicity, and even social impact. However, the devilis in the details, and while there are many bene ts tothe cloud model, the trust and risk aspect o the cloudis still widely unknown, and hence, very dangerous.When enterprise architects and security pros designcontrols around business processes, they will haveto take traditional tools and re ne them to providesu cient protection to the enterprise in this new dawn o computing.





s cloud computing adoption hurt by securityissues, compliance concerns, or just a poorlychosen name?

“The worst thing we ever did was coin the term ‘cloud,’which takes a business process and makes it sound ... out

there,” said Thinkstrategies analyst Je Kaplan.

But John Weinschenk, CEO o security rm Cenzic, saidcloud security is ar more o apressing concern. “It’s actuallyimpossible to secure the [public]cloud today,” he said. “You justdon’t know i your in ormationis going to be processed inCzechoslovakia or Russia, andwhat they’re going to do with it.

And i anything goes wrong, whodo you sue?”

John Desantis, CEO o identitymanagement provider Tricipher,agreed. “There is a thin veil thatis clearly being penetrated,” hesaid.

But Weinschenk and Desantismade clear they were talking about public, consumer

service-style cloud providers. Weinschenk said the utureor enterprises lies in private and semi-private clouds that

are more closed systems where the security parametersand service guarantees are known.

Nicholas Popp, vice president o product developmentat domain management and security provider Verisign,however, disagreed to the extent that he said companieslike his have the potential to make cloud services even

more secure than traditional datacenter solutions.

“Customers think security is the cloud issue, but it’s reallya trust issue ... a governance issue,” Popp said. “Can I setthe policies I want to and impose them? And second, canI veri y that the policy works? It’s about governance and

control issues.”

“You never sell security,” he added. “You sell complianceto those who need it. Whenwe look at people embracingthe cloud, it’s really rom thebig guys who control a privatecloud and can scale it to realizethe bene ts. The other buyersare SMBs who are looking tooutsource everything.”

Randy Barr, chie security o ceat Qualys, said enterprises aredemanding their cloud serviceproviders o er greater visibilityto make it clear that the systemsare secure — a service his rmprovides.

“You can get scans o the cloudsystem or vulnerabilities,” he said. “We’re seeing more

transparency rom providers to meet this demand.”

CIO Objections

Security isn’t the only concern enterprise buyers haveabout cloud computing systems, which in theory can savean order o magnitude in costs over companies buyingand managing their own computing in rastructure.

ICloud Computing Faces Security Challenges

By David Needle





“From an enterprise perspective, the CIO wants to holdo ,” said Joe Tobolski, a partner at Accenture TechnologyLabs. But he warned that cloud services are alreadypopular, i you include social networks like Facebookand Twitter as well as e-mail services like Gmail, in themix. These services “are ridiculously easy to sign on to.There is going to be a clash o the command and controlin rastructure that a lot o CIOs pre er to those peoplewho want to get stu done.”

Charles Carmel, vice president o corporate development

at Cisco, said that trends like the cloud and so tware-as-a-service (SaaS) in particular are causing “one o the largestdisruptions across the IT landscape.”

But Marc Benio , CEO and ounder o one o the bestknown and most success ul SaaS providers, Sales orce.com, conceded that “the vast majority o so tware is stillwith companies in their datacenters.”

“That’s the opportunity,” Benio added. “I try to educatepeople because companies want to hold [us] back, likethe people that want to sell more servers.”

http://assets.devx.com/IBM/Enhanceandsecurecriticalbusinessoperations.pdf






http://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdf







http://assets.devx.com/IBM/Secureandcompliantcollaborationandaccess.pdf

http://assets.devx.com/IBM/EscapingPCIpurgatory.pdf

http://assets.devx.com/IBM/Developeffectiveusermanagement.pdf







foading IT in rastructure to a cloudcomputing provider can result in greatcost savings and more streamlined, fexibleoperations. Need more compute power

or storage? Cloud systems like Amazon’s readily scaleso there’s no need to go through a time-consumingpurchasing process or scrambling to nd more room oran expanded datacenter.

But the cloud is not a panacea,and the need to adhere toin ormation management bestpractices remains, Symantecexecutive Deepak Mohan toldInternetNews.com.

Mohan should know.

In his position as senior vicepresident o Symantec’sIn ormation Management Group,he oversees a range o productsand services including archivingand backup o in ormationmanagement and regularlymeets with enterprise customers.The company also works with leading cloud providers likeAmazon to ensure their services are compatible.

He jokes that the cloud is very “cloudy” when it comes toenterprise adoption as companies are still experimentingwith the best way to leverage it and eel con dent theirdata is secure. Mohan said he’s requently seeing a hybridapproach where companies rely on a cloud provider orstorage or certain applications, but also maintain on-premise backup or security and recovery and to makesure they can adhere to compliance requirements.

“Inside the cloud, customers need the same level

o security and data protection,” said Mohan. Whilemanaged service providers o er service level agreements(SLA) and security assurance, Mohan said companies canand should take extra steps to ensure there in ormation issa e.

“There are many security endpoints with cloud servicesand that’s where authentication becomes very important.

It’s a big area o investmentor us,” said Mohan, noting

Symantec’s $1.28 billion purchaseo VeriSign’s authenticationservices unit.

“Amazon is going to encrypt andstore your les, but the backupdata stream may be unencrypted.So things like security in transitare services we provide thatsupport the hybrid, cloud andon-premise use cases.”

Mohan also said it’s importantor companies, particularly those

in highly-regulated industrieslike nance and health, to be

sure their in ormation on the cloud is organized both orretention and compliance.

“The cost o legal e-discovery can exceed governmentnes. It’s very expensive to do on a reactive basis and

lawyers love it because they charge by the hour and thepage,” said Mohan. “What you want to do is instrumentyour in ormation on the way in, not a ter the act.”

Symantec is one o many providers that have servicesto index and protect data. Mohan said Symantec’sEnterprise Vault archiving plat orm ollows the EDRM(Electronic Discovery Re erence Model) and o ers

Cloud Computing Requires Security DiligenceBy David Needle

O





di erent export ormats or outside council that areadmissible in court.

“Some companies are ahead o the curve and movingproactively to make sure their in ormation is beingmanaged e ectively,” said Mohan. “Another class o companies really gets serious a ter their rst litigationrequest.”





ou can close your eyes and pretend it isnot happening — many CIOs are doingexactly that — but ace this reality: “Cloudcomputing is with us to stay. Everybody

will soon be using it.”

At least this is the prediction o Jim Haskin, CIO atWebsense, a San Diego-based data security provider,and others.

A scary thought? For many CIOs,yes. “They are panicking aboutthis,” said Kirill Sheynkman, CEOo San Francisco-based Elastra,a developer o applicationscurrently deployed in associationwith Amazon’s cloud computingo ering. The panic is well-

ounded, isn’t it? Because o thesecurity concerns that come with

jumping the rewall?

Sheynkman snorts: “Securityis not the issue. Do you thinkyour IT department knows moreabout data security than Amazondoes?”

Reality check: “Data security in the cloud is no di erentthan data security at a remote data center,” said JohnLytle, a senior consultant with IT consulting rm Compassin Chicago.

In many cases, data at most companies “are more at riskin their own environment than in a well-managed cloud,”said Mike Eaton, CEO o Cloudworks, a Thousand Oaks,Cali .-based provider o cloud-based services, primarily tosmall and mid-sized businesses.

Capable Hands?

The big cloud players — Amazon, Google, Oracle/Sun, Sales orce.com — know more than a little aboutmaintaining online security and, considered in thatcontext, worries about outsiders knocking down thesecurity walls and having their way with your data indeed

seem over-wrought. “There’s been a lot o over-reaction,”said Sheynkman. “The question should not beabout data security in the cloud,”elaborates Haskin. We need tobe asking other questions thatprobe exactly why we are a raido cloud computing and certainly,as a group, CIOs are resisting it.But just maybe that has to end

because time to dither may berunning out or CIOs.

Bill Appleton, chie technicalo cer at Mountain View, Cali .-based Dream actory, a developero cloud-based applications,ominously warns: “The cloud

may skip IT and sell directly to end users. It might simplybypass the command and control system o IT.”

And that may be the legitimate worry. That’s becausea CIO nightmare revolves around unauthorized use o public cloud resources by employees who may be puttingsensitive internal data online at Web-based spreadsheetsor into slide shows.

“Most CIOs worry a lot about employees puttingdata that shouldn’t be public in public places,” saidChristopher Day, senior vice president o security

Three Steps to Secure Cloud ComputingBy Robert McGarvey

Y





services at Terremark Worldwide, a global provider o ITin rastructure. That ear is justi ed. What would the boardo directors say i it discovered the company’s strategicplan was accessible in a public cloud? But Day alsosuggests that CIOs can snu out this potential restormsimply by taking a direct approach.

“Just put into place clear policies, then educateemployees about them,” said Day.

Pull your head out o the sand (or clouds as the case maybe) and directly attack this concern. That is how to makeit vanish. Understand too that employees who uploadsensitive data usually mean well. They are just looking orbetter ways to work. Look or other, more secure ways tolet them do exactly that, adds Day. Take those two stepsand most likely cloud-based shadow IT will diminish inyour organization.

Securing the Logon

Another, lingering worry about cloud computing is that— with many providers — log-ons are too primitive.“Large enterprise will not embrace the cloud until

security signi cantly improves,” fatly predicts JohnGunn, general manager at Chicago-based Aladdin, adeveloper o digital security tools. The worry here is thatwhen barebones log-ons are in use, old- ashioned socialengineering techniques will let hackers learn employeelog-ons and, watch out, data leakage will be at foodstage.

But, said Gunn, the solution is simple: enterprises

should only permit data to migrate to the cloud wheretwo- actor, strong authentication is in use and, rightthere, hackers probably are kept at bay. Take just thatstep, suggests Gunn, and considerable big companyopposition to cloud computing would instantlyevaporate. Most mainstream cloud providers are hangingback on this but, suggests Gunn, when enough users cryout or sa eguards the cloud companies will respond.

Here Today …

A nal, big worry, particularly in today’s unstableeconomy, is the durability o the cloud provider, said

Raimund Genes, CTO at Trend Micro, the globalsecurity company. “You need a provider that will be inbusiness three years rom now. When you give up yourIT in rastructure, you need a reliable service provider.”When a cloud provider goes bankrupt how accessible isyour in ormation, by whom? Better not to deal with suchquestions at all by instead going with cloud providers thathave the wherewithal or a long-haul contest.

Parting advice or CIOs who are still wringing theirhands in worry over data in the cloud comes rom

Elastra’s Sheynkman who reminds us: “It’s not all ornothing. It does not have to be. Put only the data youare com ortable with on the cloud. That is what mostcompanies seem to be doing. We are still in an era o experimentation.”

Take it in little steps but start taking some steps, that’sthe smart way to embrace the cloud.





How Cloud Computing Security

Resembles the Financial MeltdownBy James Maguire

Hmmm… as a client o a cloud vendor, I’m eelingnervous. But SAS 70 really does mean something, doesn’tit? Well, probably.

More troubling, at this point you might have a moment o déjà vu. Wasn’t a similar confict o interest at the heart o the recent nancial meltdown?

In the view o Jay Heiser, aGartner analyst who specializesin security, the connection isclear. He’s the author o theresearch report “Analyzingthe Risk Dimensions o Cloudand SaaS Computing.” A terreading Michael Lewis’s accounto the nancial debacle, TheBig Short, Heiser told me, “I

ound more parallels betweenwhat happened in the nancialservices and cloud computingthan I anticipated.”

Let’s rewind the tape a bit. Adistressing act about the Crash

o 2008 is that the major credit rating agencies – the verygroups tasked with protecting investors – were tacitlycomplicit.

The two biggest ratings agencies, Moody’s and Standard& Poor’s, ailed to send up red fags about subprimemortgage-backed securities. These supposedly impartialwatchdogs evaluate the credit worthiness o securities,enabling investors to make in ormed decisions. Yetinstead o labeling junk as junk, they bestowed a top AAAgrade on highly risky assets.

Shockingly, virtually all o the AAA-rated subprime-mortgage-backed securities issued in 2006 have now

ow do you know i a cloud computingvendor is secure?

A ter all, you trust them with highlysensitive data and business critical processes. Your entirebusiness may rest on your ability to evaluate their level o security.

When they make claims abouttheir nearly absolute level o sa ety, should you just take theirword or it?

Goodness no, say the vendors,we’ve got a third-partycerti cation to back up ourclaims. Speci cally, they point totheir SAS 70 certi cation. SAS70 is a set o auditing standardsused to measure the handlingo sensitive in ormation. It wascreated by the impressivelynamed American Institute o Certi ed Public Accountants(those olks know how to ll out

orms). SAS 70 was around be ore cloud computing, andhas been shoehorned into use by vendors seeking animpartial third-party credential to reassure nervous cloudcustomers.

But here’s where it gets dubious. Guess who writes acheck to the SAS 70 certi ers? Believe it or not, it’s thevendors themselves. I you were a cynical, non-trustingtype (which you should be i your company’s data is atstake) you might wonder i that is a confict o interest.Don’t accounting rms have a vested interest in grantingSAS 70 certi cations to those cloud computing vendorswho can pay or them?

H



U d di h S i Ch ll f Cl d C i I S i B k © 2010 I di i i f Q i S Ik C


been downgraded to a junk rating.

It was a clear confict o interest. These ratings agenciesare paid by the issuer o the security. Perhaps it’s notsurprising that they labeled some rotting sausage ashigh-grade bee . I one o the agencies had threatened togive a low (but accurate) rating, the issuer would simplyshop at another ratings agency. The system itsel was setup to provide alse assurance.

Now back to cloud computing and SAS 70. OK, let meget this straight: the cloud companies pay accounting

rms or SAS 70 certi cations just as the nancialorganizations paid Moody’s or an investment-graderating?

“Yes, i you see someone who claims to be SAS 70, theyhave paid an accounting rm. Not only have they paidan accounting rm to go do the test, but they’ve toldthe accounting rm what processes need to be tested,”Heiser says.

“And you see a distressing number o providers that areclaiming, ‘Well, we’re secure, or we have availability – it’s

proven by the act that we have a SAS 70.’”

This statement echoes a key nding that Heiser noted inhis report:

Third-party certifcations are immature, are unable toaddress all aspects o cloud-computing risk, and should be relied on only a ter a thorough evaluation o thewritten report.

To be air, a SAS 70 is likely more than a mere piece o

paper. It may prove more than the act that the vendorhas the money to hire an accounting rm. Perhaps itshould be thought o as a good starting point. Still,the responsibility remains squarely on the client toevaluate the SAS 70’s written report and make their owndetermination. Were the right controls included? Werethey evaluated to the appropriate degree?

In other words, buyer beware. You have to do your own

digging. From Heiser’s report:

Do not accept the claimed existence o a certifcationor other third-party assessment as being adequateproo o security and continuity ftness or purpose.Thoroughly review the assessor’s written report to ensurethat the scope o evaluation is adequate, and that all necessary processes and technologies were appropriately addressed.

But is it IT?

An additional question bedevils the debate over cloud

security: Is SAS 70 — even i administered by an impartialthird party (which it’s not) — an insight ul evaluation o acloud computing vendor’s security?

SAS 70 was never designed or this use, though in theoryit could address an IT risk scenario. “Call me a cynic, butSAS 70 is an auditing standard originally intended to beused against processes relevant to nancial statements,secondarily to nancial transactions,” Heiser says.

“So the thing starts very, very ar away rom anything

that would traditionally be considered an in ormationsecurity or a business availability assessment. It’s done byaccounting rms.”

A common perception o the nancial evaluators involvedwith alse credit ratings is that they were not the cream o the Wall Street elite. Those brighter talents were pursingvastly more remunerative activities.

In contrast, “I would expect that whoever is doing a SAS70 is a airly ambitious [sta er] at a CPA rm,” Heiser say

“Still, are they auditors? IT? Did they go to Purdue andget a Master’s degree in In ormation Security? What’stheir background or all this?”

The moral o this cautionary tale is best summed up witha last key nding rom the Gartner report:

Be skeptical o vendor claims, and demand written or in-person evidence.

understanding the challenges of cloud computing security

Documents