Confidence in the way the cloud providers manage security has risen as the sun sets on the first decade of cloud computing. If concern over cloud security has taken a step or two to the rear, it remains just off center stage, showing up in surveys as a diminished but still present concern.
And, a broadcast by a former chief operating officer of the Cloud Security Alliance explains why cloud security has yet to move offstage in the IT manager's consciousness. John Howie, chief privacy officer and head of cybersecurity at the Hauwei Consumer Business Group, said new threats are evolving with the cloud in webinar broadcast by IEEE Jan. 24. Howie was COO of the Cloud Security Alliance from 2012 to 2014 and is a principal of Howie Consulting Inc.
Howie started out by acknowledging that the perception has taken hold that both providers of software as a service and infrastructure as a service have made great strides in establishing secure operations. The users' assumption is the cloud environment is frequently more secure than the enterprise data center. Howie agreed up to a point that the cloud environments are "very clean."
But the world of computing continues to change and new threats are evolving alongside the cloud, he said. The main threats arise from poorly built or configured applications that loaded into the cloud containing vulnerabilities. Usually problems will be confined to that application, but richly concentrated and populated cloud environment is an excellent breeding ground if malware does escape from such an application, he said.
Want to see how data can be compromised by an evolving threat? See Data Manipulation: An Imminent Threat.
In addition, few customers are using just one cloud, so malware may move into more than one vendor's cloud data center at a time. And cloud data centers tend to be connected to other cloud data centers by high speed lines, offering a superhighway over which malware may spread.
The risk of intrusion grows as enterprise employees adopt cloud services for their own use rather than wait for provisioning from the company's IT staff. File and document-sharing services such as DropBox or code-sharing sources are all potential sources of individual infection, followed by use of corrupted files or software inside the company firewall can lead to an outbreak that company IT staff, despite its best efforts, has great difficulty preventing, Howie said.
"The cloud administrator at your company may be unaware that today's bring-your-own-device means bring -your-own-cloud," Howie said during the webinar.
Mobile users may be accessing cloud services and storing corporate data in them without the knowledge of IT. They may also may be forming industry collaboration groups that could include the employees of competitors, everyone acting in good faith up front but openings and exposures being created beyond the view of corporate IT.
Mobile workers can sign up for free or low cost services and expense them to the company underneath the radar of the IT budgeting process and without raising concerns in the CFO's office.
"The threat landscape has evolved... Attackers are now targeting the cloud as way to get access to corporate data" and make their way past corporate firewalls, he said. "The hyper-connectedness of the cloud allows malware to move more easily from one system to another," he warned.
Finally, he said the Internet's infrastructure, on which cloud services frequently depend, itself is 40 years old and has changed little since its inception. "Core Internet services have not evolved in the last 40 years," while the threats continue to evolve and take advantage of aging infrastructure. The Domain Name System is one such piece of aging infrastructure. The frequently uses Secure Sockets Layer or other pieces of open source code are sometimes exposed for having recognized vulnerabilities. The security of the Network Time Protocol coordinating synchronization timing between remote systems is a constant concern.
Noting how much of the Internet has been constructed from open source code and maintained by volunteers, he said the Internet "is actually a bit of duct tape and spit holding together the different networks."
And cloud users themselves contribute to the hazard. Cloud providers can trot out various compliance standards that they've met – ISO/IEC 27001, SAS No. 70, PCI DSS Level 1, and SOC 1 Audit Controls Report – but they have little to do with what the cloud user brings into the cloud. "Use of cloud computing often doesn't follow the best practices recommended by the provider," Howie warned.
His description of the evolving hazard was followed by a list of things that cloud administrators and IT managers can do to keep their operations secure in the cloud. "It's the lack of governance of employee cloud use" that's the main culprit, he said.
A company should limit the number of outside services that employees may use and update its cloud usage policies, making it clear to employees there's a reason for the restrictions. "People are using the cloud to circumvent other policies," he warned. Alert and educate employees on why there are restrictions and "make sure people aren't going to try to work around them," he said.
Examine the logs of proxy servers and firewalls looking for evidence of employees using bring-your-own-cloud on their laptops or mobile devices.
Double check the security design of your corporate cloud use, stay informed on best practices and make sure they're implemented, he continued. "Make sure you are using host-based firewalls, IPsec and anti-virus and malware software in the cloud. It's shocking how many customers don't.
When it comes to using SaaS, allow users to log in only with their corporate IDs, not both corporate or personal IDs, he said. Check the access computer logs frequently to see what IDs are being used. Scan email before allowing it to be brought into cloud server systems. "This will drive up the cost of cloud computing, but it's cheaper than cleaning up after a breach," he said.
Tell employees to be "sensible with file sharing." They should know something about the parties they've agreed to share with and be cautious about exposing any corporate data.
Instead of relying solely on Internet services, examine the potential use of your own enterprise hosts for local Domain Name Service instead of public DNS. Use "runners" to check for DNS or routing problems. Runners are tests or queries launched from outside the corporate network to detect performance or security issues on keys parts of the network infrastructure.
Consider using the DNS service extension, DNS SEC or DNS security extensions that allow a DNS client to conduct a check on the origin authentication of DNS data – does it come from where it says it does? DNS Authentication of Named Entities or DANE is a way of using encrypted certificates to ensure that it does.
Howie also recommended considering "using more than one SaaS or IaaS provider, splitting use of their services" across enterprise needs. "This comes with added complexity and cost but prevents total failure if one provider goes down."
There are many resources available for improving each user's cloud security, starting with those of the cloud providers themselves and including the Cloud Security Alliance, the IEEE and the National Institute of Standards and Technology, Howie pointed out in conclusion.