Feeds

Security in the clouds - or clouds in security?

Supplementary benefits

SANS - Survey on application security programs

‘Cloud Computing’ is the marketing term of the moment, despite lacking a formal definition (this is what we came up with),

Undoubtedly, many organisations are looking to source certain IT services from across the internet. While such capabilities may be initiated as standalone, they frequently move on to be used in combination with existing IT services.

Whether or not cloud computing will replace everything that has gone before (no, we don’t believe so either), the use of internet-based services leads to several security considerations. Not only do security professionals need to understand the security challenges inherent in accessing systems and data by way of the Internet. But also, it is worthwhile considering if there are, in fact, opportunities to source security services themselves from the Cloud, i.e. ‘as a service’?

Taking the first point, some obvious areas must be checked with each service provider for every Cloud / SaaS service being considered. As with all IT services, an organisation must decide what levels of security and data protection are applicable to the service under consideration. All systems need to be secure, but the precise nature of security to be implemented varies depending on the nature and value of the service being considered and the data generated.

Where data is required to be kept confidential, for example, this may require some data elements to be encrypted and it will be necessary to ensure that the supplier’s internal processes, staff and systems meet the desired security criteria. This may apply just as much to the physical elements of the service (data centre access, rack access, staff vetting etc.) as to the IT service elements.

There is then the old chestnut of how the data and service is backed up and how the data recovery process functions. Despite the popular conception that cloud providers are in some way ‘better’ than internal operations, there is no reason or proof why this should be the case (indeed, recent data loss cases such as ma.gnolia.com suggest that organisations would do well to proceed with appropriate caution).

It's the process, stupid

Taking things more broadly than the data, it is essential to investigate how all operational and administrative processes function. For example, how are new users added and who can authorise service changes and amendments? Process, process and process are just as important in cloud security as for internal operations.

Then there are a few thorny legislative matters. Where are the servers hosting the cloud based? Whose legal jurisdiction covers any data held on the servers and under what circumstances will the provider disclose said data to third parties? Do these legal obligations contradict any local laws where the customer is based? There is clearly plenty of scope for lawyers to get a much needed and well deserved crust or two.

Finally there is the question of the financial stability of the service provider. And more importantly what happens if they go out of business suddenly or simply choose not to carry on providing the Cloud / SaaS service? Essentially this comes down to questions of how can any data and other valuable information be retrieved at a forced end of service or when the customer simply decides to terminate the arrangement? Can data be retrieved simply and easily? How will the service provider ensure that it removes such data, and any backup / replica copies from systems and ensures that these are either destroyed or placed securely in storage where they cannot be accessed?

These are difficult questions, and our advice at this stage is based on ‘due diligence’ – that is, treat cloud service providers in the same way as any other service provider, assessing their capabilities and inherent security risks accordingly.

As mentioned earlier, Cloud Computing may come with risks attached, but it can also provide a basis for the delivery of security services themselves. There are a number of good reasons for this – not least that many of the threats already exist in the cloud, and therefore the cloud is a good place to deal with them.

An additional factor concerns the nature of security itself. IT security is a specialist concern, requiring a complex array of skills which many organisations would be hard pressed to come by. It therefore makes sense to see IT security from the perspective of service provision, and the cloud is one of a number of appropriate delivery mechanisms.

Supplementary benefit

Everything from anti-virus / anti-spam updates, to vulnerability assessments and services that record the safety of millions upon millions of ever changing web pages can be taken as some variation of a cloud offering. In fact it is today possible to utilise almost all of the standard security services employed to protect end point devices as well as many of the services intimately linked to security that have traditionally only been deployed in the customer's own data centre.

Cloud based security services have a lot to offer in many scenarios and there is every likelihood that such solutions will increasingly be deployed to supplement traditional security systems. Note we use the term ‘supplement’ – it is highly unlikely that organisations will replace internal systems wholesale with cloud-based services any time soon. And while there are internal systems, there remains a need for internal security.

To conclude, Cloud computing is a work in progress and should be treated as such. Of course there but many security issues are still to be worked through. In the meantime, you can expect to see IT security vendors stepping up to the plate. Cloud has its benefits even in security but don’t start throwing out existing tools and practices until you are confident of a better, more cost effective alternative to suit your own needs.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.