Cloud // Infrastructure as a Service
News
3/24/2011
07:03 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cloud Security Challenges Include Audit Trails, Preventing Attacks

How to build an effective Security Operations Center to cope with new threats in the era of virtualization and cloud computing will be a major topic at the upcoming Connections Conference in Las Vegas in April.

Top 10 Cloud Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Cloud Stories Of 2010
The brief called for a Security Operations Center with six core attributes, such as knowing the IT infrastructure well and understanding where the crown jewels resided and mapping possible avenues of attack against them. The center would be able to conceive in advance the protections needed against those attacks, and could plot the swift action needed if those defenses are breached.

In this view, virtualization is not a vulnerability, but one of the lines of defense in depth. A virtual machine can isolate a database or other target and its hypervisor can be closely monitored for any sign of intrusion. If such a sign is detected, the virtual machine can be easily shut off from other resources or even shut down, with a clean copy restarted.

The paper, called Mobilizing Intelligent Security Operations for Advanced Persistent Threats, (pdf) illustrates how security professionals, with great effort, can get the upper hand in the arms race between defenders versus attackers.

Puhlmann said a cloud environment can be made as secure as a data center and, when it comes to PCI transactions, "I don't see why they shouldn't become a commonplace" in the cloud. But the PCI standard will have to "adjust itself to the times" before that will be true, he said.

Puhlmann will try to relate security to the process of innovation that is underway, particularly in cloud computing, "which is moving ahead faster and faster. The cloud is a huge disrupter. It's up to us and others to make sure its security is discussed."

Cloud practices that move data between data centers around the world illustrate how archaic the laws governing data management and security have become, he pointed out. In some cases, data arising in Europe can't leave a nation's borders. Canadian healthcare data can't be stored on U.S. servers.

"We have completely conflicting rules of law enforcement," he said, and until Jan. 1, the PCI council hadn't acknowledged that a PCI compliant process could be established, even if part of it was running on a virtual machine.

"Virtualization is just an enabling technology. What's so different with the cloud is the consuming model," with consumers accessing the cloud from a wide variety of locations. The challenge of managing access is about to expand with the advent of many tablets, smart phones and other mobile devices tapping into the cloud.

Only part of the problem is technical complexity. Just as important is getting the people processes straight and having governance in place so the initiator of an operation in the cloud is doing things correctly, he said. Another complexity is lines of responsibility, who's doing what. "Now there are people handling the system and data who are not employed by you. That changes the notion of who works for your company," he noted.

A cloud's APIs need to be secure and only do the things they are designed to do, not leave maneuvering room for interlopers. "It's crucial these interfaces are rock solid," he said.

There's been no publicized breach based on a malformed API but such an event is probably only a matter of time. From Puhlmann's perspective, the cloud isn't inherently insecure, but neither has it matured to the point where users are assured in all cases of its security.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Multicloud Infrastructure & Application Management
Multicloud Infrastructure & Application Management
Enterprise cloud adoption has evolved to the point where hybrid public/private cloud designs and use of multiple providers is common. Who among us has mastered provisioning resources in different clouds; allocating the right resources to each application; assigning applications to the "best" cloud provider based on performance or reliability requirements.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.