Feeds

Security in the clouds - or clouds in security?

Supplementary benefits

Protecting against web application threats using SSL

‘Cloud Computing’ is the marketing term of the moment, despite lacking a formal definition (this is what we came up with),

Undoubtedly, many organisations are looking to source certain IT services from across the internet. While such capabilities may be initiated as standalone, they frequently move on to be used in combination with existing IT services.

Whether or not cloud computing will replace everything that has gone before (no, we don’t believe so either), the use of internet-based services leads to several security considerations. Not only do security professionals need to understand the security challenges inherent in accessing systems and data by way of the Internet. But also, it is worthwhile considering if there are, in fact, opportunities to source security services themselves from the Cloud, i.e. ‘as a service’?

Taking the first point, some obvious areas must be checked with each service provider for every Cloud / SaaS service being considered. As with all IT services, an organisation must decide what levels of security and data protection are applicable to the service under consideration. All systems need to be secure, but the precise nature of security to be implemented varies depending on the nature and value of the service being considered and the data generated.

Where data is required to be kept confidential, for example, this may require some data elements to be encrypted and it will be necessary to ensure that the supplier’s internal processes, staff and systems meet the desired security criteria. This may apply just as much to the physical elements of the service (data centre access, rack access, staff vetting etc.) as to the IT service elements.

There is then the old chestnut of how the data and service is backed up and how the data recovery process functions. Despite the popular conception that cloud providers are in some way ‘better’ than internal operations, there is no reason or proof why this should be the case (indeed, recent data loss cases such as ma.gnolia.com suggest that organisations would do well to proceed with appropriate caution).

It's the process, stupid

Taking things more broadly than the data, it is essential to investigate how all operational and administrative processes function. For example, how are new users added and who can authorise service changes and amendments? Process, process and process are just as important in cloud security as for internal operations.

Then there are a few thorny legislative matters. Where are the servers hosting the cloud based? Whose legal jurisdiction covers any data held on the servers and under what circumstances will the provider disclose said data to third parties? Do these legal obligations contradict any local laws where the customer is based? There is clearly plenty of scope for lawyers to get a much needed and well deserved crust or two.

Finally there is the question of the financial stability of the service provider. And more importantly what happens if they go out of business suddenly or simply choose not to carry on providing the Cloud / SaaS service? Essentially this comes down to questions of how can any data and other valuable information be retrieved at a forced end of service or when the customer simply decides to terminate the arrangement? Can data be retrieved simply and easily? How will the service provider ensure that it removes such data, and any backup / replica copies from systems and ensures that these are either destroyed or placed securely in storage where they cannot be accessed?

These are difficult questions, and our advice at this stage is based on ‘due diligence’ – that is, treat cloud service providers in the same way as any other service provider, assessing their capabilities and inherent security risks accordingly.

As mentioned earlier, Cloud Computing may come with risks attached, but it can also provide a basis for the delivery of security services themselves. There are a number of good reasons for this – not least that many of the threats already exist in the cloud, and therefore the cloud is a good place to deal with them.

An additional factor concerns the nature of security itself. IT security is a specialist concern, requiring a complex array of skills which many organisations would be hard pressed to come by. It therefore makes sense to see IT security from the perspective of service provision, and the cloud is one of a number of appropriate delivery mechanisms.

Supplementary benefit

Everything from anti-virus / anti-spam updates, to vulnerability assessments and services that record the safety of millions upon millions of ever changing web pages can be taken as some variation of a cloud offering. In fact it is today possible to utilise almost all of the standard security services employed to protect end point devices as well as many of the services intimately linked to security that have traditionally only been deployed in the customer's own data centre.

Cloud based security services have a lot to offer in many scenarios and there is every likelihood that such solutions will increasingly be deployed to supplement traditional security systems. Note we use the term ‘supplement’ – it is highly unlikely that organisations will replace internal systems wholesale with cloud-based services any time soon. And while there are internal systems, there remains a need for internal security.

To conclude, Cloud computing is a work in progress and should be treated as such. Of course there but many security issues are still to be worked through. In the meantime, you can expect to see IT security vendors stepping up to the plate. Cloud has its benefits even in security but don’t start throwing out existing tools and practices until you are confident of a better, more cost effective alternative to suit your own needs.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.