Cloud Security Challenges Include Audit Trails, Preventing Attacks - InformationWeek
Cloud // Infrastructure as a Service
07:03 PM
Connect Directly

Cloud Security Challenges Include Audit Trails, Preventing Attacks

How to build an effective Security Operations Center to cope with new threats in the era of virtualization and cloud computing will be a major topic at the upcoming Connections Conference in Las Vegas in April.

Top 10 Cloud Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Cloud Stories Of 2010
The brief called for a Security Operations Center with six core attributes, such as knowing the IT infrastructure well and understanding where the crown jewels resided and mapping possible avenues of attack against them. The center would be able to conceive in advance the protections needed against those attacks, and could plot the swift action needed if those defenses are breached.

In this view, virtualization is not a vulnerability, but one of the lines of defense in depth. A virtual machine can isolate a database or other target and its hypervisor can be closely monitored for any sign of intrusion. If such a sign is detected, the virtual machine can be easily shut off from other resources or even shut down, with a clean copy restarted.

The paper, called Mobilizing Intelligent Security Operations for Advanced Persistent Threats, (pdf) illustrates how security professionals, with great effort, can get the upper hand in the arms race between defenders versus attackers.

Puhlmann said a cloud environment can be made as secure as a data center and, when it comes to PCI transactions, "I don't see why they shouldn't become a commonplace" in the cloud. But the PCI standard will have to "adjust itself to the times" before that will be true, he said.

Puhlmann will try to relate security to the process of innovation that is underway, particularly in cloud computing, "which is moving ahead faster and faster. The cloud is a huge disrupter. It's up to us and others to make sure its security is discussed."

Cloud practices that move data between data centers around the world illustrate how archaic the laws governing data management and security have become, he pointed out. In some cases, data arising in Europe can't leave a nation's borders. Canadian healthcare data can't be stored on U.S. servers.

"We have completely conflicting rules of law enforcement," he said, and until Jan. 1, the PCI council hadn't acknowledged that a PCI compliant process could be established, even if part of it was running on a virtual machine.

"Virtualization is just an enabling technology. What's so different with the cloud is the consuming model," with consumers accessing the cloud from a wide variety of locations. The challenge of managing access is about to expand with the advent of many tablets, smart phones and other mobile devices tapping into the cloud.

Only part of the problem is technical complexity. Just as important is getting the people processes straight and having governance in place so the initiator of an operation in the cloud is doing things correctly, he said. Another complexity is lines of responsibility, who's doing what. "Now there are people handling the system and data who are not employed by you. That changes the notion of who works for your company," he noted.

A cloud's APIs need to be secure and only do the things they are designed to do, not leave maneuvering room for interlopers. "It's crucial these interfaces are rock solid," he said.

There's been no publicized breach based on a malformed API but such an event is probably only a matter of time. From Puhlmann's perspective, the cloud isn't inherently insecure, but neither has it matured to the point where users are assured in all cases of its security.

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll