Cloud Security In Focus Amid Data Theft Fears - InformationWeek
IoT
IoT
Cloud // Cloud Storage
Commentary
11/11/2009
03:23 PM
Alexander Wolfe
Alexander Wolfe
Commentary
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Cloud Security In Focus Amid Data Theft Fears

Yeah, I know, this is another one of those "everything changes" moments where we're prodded into frenzied activity--as opposed to effective action--because an emerging technology has surged ahead of our ability to properly manage it. I'm talking about cloud computing, and the attendant fears not just of data theft, but of breaches of SaaS computing resources themselves. Fortunately, there are a bunch of below-the-radar efforts attempting to address these worries.

Yeah, I know, this is another one of those "everything changes" moments where we're prodded into frenzied activity--as opposed to effective action--because an emerging technology has surged ahead of our ability to properly manage it. I'm talking about cloud computing, and the attendant fears not just of data theft, but of breaches of SaaS computing resources themselves. Fortunately, there are a bunch of below-the-radar efforts attempting to address these worries.Cloud security reared its head most recently, with Trend Micro chief technology officer Dave Rand being quoted as saying: "Between now and widespread adoption [of cloud computing] we will see massive data theft occurring as people move into the cloud."

Since adoption is ramping up, one can infer that such thefts are already ongoing. (Or, more scarily, one can take a short intellectual leap from my post, Admiral Warns Cybersecurity Threat Looms For U.S., and assume that cloud data thefts are already rampant, we're just not hearing about them.)

It's interesting to note that cloud security holes result not from any inherent shortcomings of the technology itself, but rather from its inherently greater exposure. Namely, it's visible on the Internet. Also, as I mentioned up top, our processes have not yet caught up with our financially induced rush to shed more secure (because they're better, though not entirely, hidden) self-hosted apps, in favor of the promised capex savings of SaaS equivalents.

The most succinct summary of the problem comes via the document, "Security Guidance for Critical Areas of Focus in Cloud Computing," which I encourage you to download from the Cloud Security Alliance [pdf is here], which speaks of the erosion of the traditional security perimeter:

"It is clear that the impact of the re-perimeterization and the erosion of trust boundaries we have seen in the enterprise is amplified and accelerated due to Cloud."

Operationally, one can analogize purchasing cloud services to owning a car. The manufacturer (or, in this case, the vendor) is responsible for creating a safe product. However, practically speaking, the buck stops with you the user as far as ultimately ensuring safe operation.

[Another way of viewing this is, cloud users have service level agreements, most of which have fine print blowing off responsibility for security. So maybe if there's a breach, you can still have your legal department sue the crap out of someone, but as the computer person in your org, that buck to which I referred will still be stopping at your desk.]

This means that cloud users cannot cede security to their provider. Adding complexity on top of this admittedly simplistic advice is the nuance of different clouds presenting different challenges. Or, as the Cloud Security Alliance's paper puts it:

"The key takeaway from a security architecture perspective in comparing the [different SaaS] models is that the lower down the stack the Cloud service provider stops, the more security capabilities and management the consumer is responsible for implementing and managing themselves."

Where does these leave us? Process-wise, right now both users and providers are groping towards a solution. As the CSA doc summarizes it:

"The relative maturity of Cloud Services will lead to history repeating itself with respect to security issues. Consumers, Businesses, Cloud Service Providers, and Information Security and Assurance professionals need to collaborate to shine a light on the potential issues and solutions listed above and to discover those not yet identified."

Next time, I'll take a look at some of the technical solutions being floated to address security in the cloud.

See also:

Wolfe's Den Interview: Pacific Labs CIO Talks Cloud Computing Security, and

Wolfe's Den Podcast: Trend Micro Takes Security To The Cloud.

Follow me on Twitter: (@awolfe58)

What's your take? Let me know, by leaving a comment below or e-mailing me directly at alex@alexwolfe.net.

Alex Wolfe is editor-in-chief of InformationWeek.com.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll