Cloud Security A Moving Target

By 2015 the global cloud computing market will reach $121.1 billion. IDC says that businesses are more concerned about the risks involved-- including security, availability and performance--than with the benefits of flexibility, scalability and lower costs.According to a recent survey of more than 1,000 security professionals in the InformationWeek Analytics 2011 Strategic Security Survey, the cloud is here to stay, especially for small and midsize companies, and so, too, are concerns about cloud risk. The survey shows that the No. 1 worry is security defects in the technology used by cloud providers--that is, the virtual machines, networks and databases powering the services that are used.

That's followed by the second most pressing concern, unauthorized access to, or leakage of, customer data. In addition, respondents said they were worried that big cloud vendors like Amazon and Microsoft may significantly change their offerings without notice, and that could affect security controls and technology requirements.

The good news, says John Pironti, president of IP Architects, is that security professionals have been grappling with the issues poised by the cloud for decades. This is the third time the industry has had to deal with what he calls time slicing, and it goes back to the days when mainframes ruled the IT roost. "It started out with mainframes, and they did it better, but they didn't have the depth and breadth of applications we have today. In this case, we're using software ... where, with mainframes, [security] was designed in the hardware."

However, the problems are pretty much unchanged, he says, with one of the first goals of cyberterrorism being to attack communications. "The same fundamental attack and threat problems are the ones that will still get you. The adversaries are smarter, better, but they will follow the same basic approach ... follow the value."

While the human asset is your greatest asset, it's also your greatest adversary, says Pironti. "Most companies are having problems dealing with that trusted employee. ... It is a much greater threat than the external hacker."Cyber-Ark’s fifth annual "Trust, Security and Passwords" report surveyed 1,422 IT staff and C-level professionals across North America and Europe, the Middle East and Africa (EMEA), and found that nearly one in five C-level respondents admit insider sabotage had occurred at their workplace. Another 16% believe that competitors may have received highly sensitive information or intellectual property--including customer lists, product information and marketing plans--from sources within their own organization.

The biggest cloud security challenge revolves around visibility and availability, says Pironti. Vendors are putting out a multitenant strategy, including shared storage, and telling users not to worry about how it works.

That attitude contradicts the trends of the last five-plus years toward good governance, with appropriate metrics and monitoring. "We want to know when somebody is affecting our data." The solution is a trust-but-verify model, putting checks and balances in place, he says.

Cloud service and technology vendors must show how they do can do this better than the competition, when everybody is pretty much using the same technology, he adds, saying it gets worse because the adversaries have defeated most of the technologies that they say can protect us.

Want more good news? Pironti says while visibility and availability remain problematic in the cloud, the very existence of the cloud bringing together huge amounts of data will attract more predators. The cloud becomes jump points for people to attack other systems, and they will also use them as factories for attacks.

"Now we're empowering the adversaries." That's the double-edged nature of technology, he says. It can be used for both "good" and "bad" purposes.

See more on this topic by subscribing to Network Computing Pro Reports Research: 2011 Strategic Security Survey (subscription required).