Cloud Security Not So Secure?


Ericka Chickowski reports:

Over the past two days I've been attending sessions at the Security Practitioners Conference, which is run as a component of The Open Group Conference in San Diego. Much of the content yesterday focused on security in the cloud, with bigwigs from Salesforce.com, Amazon Web Services, IBM and the like stepping in front of the crowd to pitch their security controls and quell some of the qualms currently keeping many organizations from dipping their data into the cloud.

While some of the controls may be robust, I'm going to throw my lot in with Eric Maiwald, vice president and research director of risk management strategies for Burton Group Security , who hosted an end-of-the-day wrap panel and started it by saying, "I've been listening here today and I don't know if I should be encouraged or really depressed."

The security model is so immature right now that it is clear that most of the assurances cloud vendors offer are around infrastructure and covering their own respective risks. Most cloud vendors will tell you outright that it is up to the customers to individually secure their own applications and data in the cloud, for example, by controlling which ports are open and closed into the customer's virtualized instance within the cloud.

As Maiwald puts it, enterprises need to be aware of this distinction. Security in the cloud means different things to those offering cloud services and those using cloud services. Even if you're working with the most open and forthright vendors who are willing to show you every facet of their SAS 70 audit paperwork and provide some level of recompense for security glitches on their end, they're most certainly not assuming your risks. For example, if Amazon Web Services screws up and your applications are down for half a day, it'll credit you for 110 percent of the fees charged for that amount of time but you're still soaked for any of the associated losses and costs that come as a result of the downtime.

As organizations weigh the risks against the financial benefits of cloud computing, Maiwald believes they must keep in mind that , "There is risk that is not being transferred with that (cloud services) contract."

It still may not be enough to deter certain organizations looking to cut costs, but it should definitely play into a risk assessment formula before you decide to float away into the cloud.


3 Comments for "Cloud Security Not So Secure?"

  • glosec January 21, 2010 12:22 pm

    with enterprises still hesitant to adopt cloud computing, is is no surprise that they pretty much echo one another regards the concerns of security and reliability in the 'cloud' This topic relates to Global Security Challenge LLP's latest competition, The Cloud Security Challenge 2010. We invite ideas/innovations that help to make cloud computing secure and reliable to enter. Backed by HP Labs, 1st prize is $10,000, exclusive mentoring along with access to HP Labs testing facilities. The Cloud Security Challenge 2010 is also supported by cloudsecurity,org and cloudsecurityalliance.org Please visit www.globalsecuritychallenge for more details and entry submission. We are always on the look out for organisations like Novell to become involved and welcome inquiries of this nature also. All the best, Team GSC

  • Peder Jungck February 12, 2009 2:16 am

    Thank you for highlighting the concerns around Cloud Computing security. The benefits of cost savings and on-demand scalability are very attractive to customers, however, as you mentioned the risks change. Different providers are touting thier advances in securing thier infrastructure and working hard to give customers confidence in the security of thier offerings. I am a strong proponent that the benefits outway the expense of not leveraging the advances of Cloud Computing but equally am adamant that the security must be focused upon and scrutinized more fully. When computing is being done within an enterprise, predominately we have only the concerns of the enterprise to worry about. As we enter the age of Cloud Computing, two other parties have entered the equation, the Cloud Computing provider as well as the telecom network provider. Securing Cloud Computing can not be done by the providers like Amazon and Salesforce.com alone. For example, if the DNS servers of your Internet provider resolve Salesforce.com to an alternate destination where employees blisfully enter thier credentials, how confident can you feel about your service. Nothing is insurmountable to secure, it just needs to be addressed. It would be great to see a blueprint for security in the Cloud that involves the aspects that must be done by the Enterprise, Cloud Computing provider and your telecom providers in between the two such that as an Enterprise it is easier to discern the robustness of the security offered.

  • Alan McRae February 09, 2009 9:26 am

    Very important heads up on a contemporary topic of concern. Some of our solution provider partners are considering cloud offerings to meet client TCO requirements, and most don't realize that there are some very scary security liability & due diligence issues that could blow up in their faces one day. I hope you will publish a more detailed article on Cloud Computing Security Architecture that will get us all focused on the same page.

Leave a Comment