Comments
Cloud Providers Must Share Discovered Vulnerabilities
Newest First  |  Oldest First  |  Threaded View
Ed Moyle
100%
0%
Ed Moyle,
User Rank: Apprentice
5/16/2014 | 8:26:36 AM
This is a bigger deal than you might think
So, from a cloud service provider perspective, this is a bigger deal than you might think.  I can tell you that there can be strong internal pressure to not disclose security issues to customers.  That includes explicit vulnerabilities, but also operational issues that prevent security controls from working at full utility (for example, configuration problems, etc.)  In fact, the pressure is strong enough that I used to use it as an interview question when hiring resources.  For example, at the first interview I would ask something like:

"Hypothetical scenario: you discover a configuration issue in a customer's managed IDS instance that prevents it from scanning all relevant traffic.  The customer is heavily regulated, has had a number of support issues recently and has gone on record that one more issue will cause them to take their business elsewhere.  The account management team advises you to not inform the customer until the issue is resolved, which the technical manager says will take 3 months. What's the best course of action?"


If their answer was anything other than some form of "suck it up and immediately inform the customer", I would (politely) end the interview and cross them off the list.  That said, I'm sure that not everyone at every CSP shares that same view.  
Charlie Babcock
100%
0%
Charlie Babcock,
User Rank: Author
5/13/2014 | 3:50:42 PM
Eastablish a central vulnerability reference
The idea of vulnerabilty sharing by cloud providers is a good one and spreads the cost of keeping up with the varous forms of assault. Just as disease outbreaks come to the attention of the Center for Disease Control, so should vulnerabilities be contained through some centralized system of sharing analysis and countermeasures.
WKash
100%
0%
WKash,
User Rank: Author
5/13/2014 | 12:15:17 PM
Re: Feudalism
Stratustician, one compelling aspect of the FedRAMP cloud security authorization program is the role of 3PAOs - third party assessment organizations that providers must hire to assess/audit a service's security practives, processes. And because providers must have their FedRAMP authority renewed annually, there's less room to hide vulnerability incidents.
Stratustician
100%
0%
Stratustician,
User Rank: Ninja
5/13/2014 | 12:04:28 PM
Re: Feudalism
You're right, until the power shifts from the provider being protected by the SLA to the customers who have enough influence to demand more from the service provider, we are still at the mercy of the providers themselves who determine the levels of security that these services entail.  Prior, with managed security, there was more at risk as these providers had to consistenly prove their results, with cloud, there is more room for abstraction when it comes to the security backend and so customers rarely have insight into the real vulnerabilities that exist.  Perhaps this will cause a shift to having providers partner with third-party managed security providers to prove security performance? I really do hope so.
rfoeckl
50%
50%
rfoeckl,
User Rank: Apprentice
5/12/2014 | 8:37:11 PM
Story
Interesting story.
WKash
100%
0%
WKash,
User Rank: Author
5/12/2014 | 2:22:32 PM
Re: Feudalism
One of the big arguments in favor of well-run, established cloud service providers is the notion that customers' data are better protected through a central utility w/ top securitiy teams at the console, then when their data are spread out, and exposed to a wider array of threats, across multiple systems within an agency.   But as cloud providers become more commodity-oriented, and pricing pressures threated to role back some of that extra security expertise, customers may find their only leverage is to band together - in fuedal fashion - with other users to ensure they're getting the protection(s) they're paying for in their SLAs. 
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
5/12/2014 | 5:55:55 AM
Re: Feudalism
Yea, there's been an interesting power shift with the growth of the cloud - which is why many governments are simply building their own. However, I hope with government security fears over unlawful spying or viewing of secretive data, that more politicians will reconsider the way that domestic intelligence agencies have been spying on their own citizens in many countries. 
danielcawrey
100%
0%
danielcawrey,
User Rank: Ninja
5/11/2014 | 1:10:18 PM
Feudalism
I have never thought about this example of cloud feudalism that Schneier describes. But it does in many ways describe the kind of mercy we are at with cloud providers. 

At the savings of paying for costly licenses and infrastructure fees, we are confronted with monthly fees and less control. Many IT shops don't like this. But if they want to, they can use their resources to build their own cloud architecture. The technology is available for those who don't like the feudal model. 


The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek - September 2, 2014
Avoiding audits and vendor fines isn't enough. Take control of licensing to exact deeper software discounts and match purchasing to actual employee needs.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Howard Marks talks about steps to take in choosing the right cloud storage solutions for your IT problems
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.