Yeah, I know, this is another one of those "everything changes" moments where we're prodded into frenzied activity--as opposed to effective action--because an emerging technology has surged ahead of our ability to properly manage it. I'm talking about cloud computing, and the attendant fears not just of data theft, but of breaches of SaaS computing resources themselves. Fortunately, there are a bunch of below-the-radar efforts attempting to address these worries.
Yeah, I know, this is another one of those "everything changes" moments where we're prodded into frenzied activity--as opposed to effective action--because an emerging technology has surged ahead of our ability to properly manage it. I'm talking about cloud computing, and the attendant fears not just of data theft, but of breaches of SaaS computing resources themselves. Fortunately, there are a bunch of below-the-radar efforts attempting to address these worries.Cloud security reared its head most recently, with Trend Micro chief technology officer Dave Rand being quoted as saying: "Between now and widespread adoption [of cloud computing] we will see massive data theft occurring as people move into the cloud."
Since adoption is ramping up, one can infer that such thefts are already ongoing. (Or, more scarily, one can take a short intellectual leap from my post, Admiral Warns Cybersecurity Threat Looms For U.S., and assume that cloud data thefts are already rampant, we're just not hearing about them.)
It's interesting to note that cloud security holes result not from any inherent shortcomings of the technology itself, but rather from its inherently greater exposure. Namely, it's visible on the Internet. Also, as I mentioned up top, our processes have not yet caught up with our financially induced rush to shed more secure (because they're better, though not entirely, hidden) self-hosted apps, in favor of the promised capex savings of SaaS equivalents.
The most succinct summary of the problem comes via the document, "Security Guidance for Critical Areas of Focus in Cloud Computing," which I encourage you to download from the Cloud Security Alliance [pdf is here], which speaks of the erosion of the traditional security perimeter:
"It is clear that the impact of the re-perimeterization and the erosion of trust boundaries we have seen in the enterprise is amplified and accelerated due to Cloud."
Operationally, one can analogize purchasing cloud services to owning a car. The manufacturer (or, in this case, the vendor) is responsible for creating a safe product. However, practically speaking, the buck stops with you the user as far as ultimately ensuring safe operation.
[Another way of viewing this is, cloud users have service level agreements, most of which have fine print blowing off responsibility for security. So maybe if there's a breach, you can still have your legal department sue the crap out of someone, but as the computer person in your org, that buck to which I referred will still be stopping at your desk.]
This means that cloud users cannot cede security to their provider. Adding complexity on top of this admittedly simplistic advice is the nuance of different clouds presenting different challenges. Or, as the Cloud Security Alliance's paper puts it:
"The key takeaway from a security architecture perspective in comparing the [different SaaS] models is that the lower down the stack the Cloud service provider stops, the more security capabilities and management the consumer is responsible for implementing and managing themselves."
Where does these leave us? Process-wise, right now both users and providers are groping towards a solution. As the CSA doc summarizes it:
"The relative maturity of Cloud Services will lead to history repeating itself with respect to security issues. Consumers, Businesses, Cloud Service Providers, and Information Security and Assurance professionals need to collaborate to shine a light on the potential issues and solutions listed above and to discover those not yet identified."
Next time, I'll take a look at some of the technical solutions being floated to address security in the cloud.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.