More feature stories by year:
Return to: 2012 Feature Stories
CLIENT: NETWORK BOX USA
February 2012: PC Today
You might expect sunshine to poke through holes in a cloud in the sky. But it's a far darker situation when dealing with cloud services in the enterprise, where holes can allow devastating breaches of data and privacy. Although cloud providers continue to boost security, adopters of these services nonetheless need to be aware of potential security holes and how to prevent them.
The intrinsic nature of the cloud gives way to a certain level of freedom between providers and customers to ensure that services are effective, flexible, and efficient. However, as a skyrocketing number of businesses begin to rely on cloud services for critical processes, more attention is being given to security around these implementations. Service providers are certainly lending more resources than ever to the security of their products, but a good deal of responsibility can also fall on the shoulders of cloud users themselves.
When Pierluigi Stella, chief technology officer of Network Box (www.networkboxusa.com), started dealing with cloud security about two years ago, he said he felt as though he traveled back nearly 10 years in terms of how security was handled. A decade ago, many companies used simple firewall and antivirus technologies to protect their workstations, Stella says. Threat levels at that time generally weren't high enough to warrant more stringent security measures, but Code Red and other severe threats eventually emerged and began to change the security landscape. Now, he says, an average of 200,000 new zero-day threats appear every day.
"The unfortunate discovery I have made in dealing with cloud security is that we seem to be stuck in a world that has not truly realized all this," Stella says. "Unless some regulator, auditor, or law tells me what to do, I will do almost nothing at all—this is the common approach. In the cloud, this is accentuated by the fact that companies are moving there to save money, and when they run into the issue of having to set up a separate virtual server to run a virtual security device, they realize they had not budgeted for it, so they end up going for the cheapest and simplest solution."
This solution is often self-managed, he adds, even if the company is fully aware that it lacks the skills to properly configure the required protection. As a result, such companies ultimately move data into the cloud without proper protection. According to Norm Laudermilch, chief operating officer of Terremark (www.terremark.com), applications in the cloud are running on virtualized instances of the same operating systems already in use elsewhere. As such, these applications can fall victim to the same vulnerabilities and attacks that have plagued businesses for years.
"Unpatched systems, weak authentication, bad firewall configurations, and running unnecessary services can be just as big a threat as the more sexy vulnerabilities like zero-day exploits and advanced persistent threats. On top of that, virtualization introduces cloud-specific vulnerabilities like attacks against the hypervisor, which could allow one guest to compromise another guest, or worse, the hypervisor itself, allowing access to all guests," Laudermilch says.
Casual cloud observers might point to high-profile breaches as examples of the cloud's inherent insecurity. But Laudermilch says that rather than considering cloud services unsafe across the board, consider that the cloud simply requires the same security diligence as non-virtualized environments.
Keeping cloud activities secure requires the constant reminder that business data may be leaving the premises. With this in mind, strong remote computing security practices apply to ensure that eavesdroppers or other intruders don't gain access to your data. Stella recommends using a strong VPN (virtual private network) such as a certificate-based, SSL-protected VPN with AES-256 encryption. If you're not sure what kind of protection is offered by your cloud provider when connecting to its services, check with the provider before moving any data.
"You should also investigate how the hardware side of your virtual environment is handled to ensure that your virtual neighbors have no accidental access to your data. I have seen an MSP [managed services provider] set up a number of servers on a virtual LAN [with] each server belonging to a different customer. So now you are in a situation where I can log on to my server remotely, and I am on the same LAN with servers that do not belong to me. I can use that as a bridge to attack all those servers and steal their data," Stella explains.
He notes that because businesses don't know their neighbors in the cloud, they should trust no one and always ensure that their LAN en- vironments stay exclusive to them. Joseph Pedano, senior vice presi- dent of data engineering at Evolve IP (www.evolveip.net), adds that when using public clouds, businesses should configure a host-based firewall, while users of private or hybrid clouds should use both a firewall and an IDS/IPS (intrusion detection system/intrusion protection system) to prevent or mitigate security holes.
Pedano also advises against opening yourself to holes in the first place. For example, he says, if someone is utilizing a public infra- structure, are you comfortable with any of that data being advertised to the public if it was compromised? Regardless of the answer, sensitive data—such as database or transactional data—should reside on hardened machines behind proper security devices, he says. Further, if server access is granted as part of the infrastructure, that infrastructure should be patched and regularly scanned. Pedano recommends considering the placement of a DLP (data loss prevention) program to understand what's moving onto and off of the server.
The prevalence and severity of cloud security holes can vary widely depending on the service, the service provider, the implementation, and the ability and/or practices of the customer. Robert Jenkins, chief technology officer of CloudSigma (www.cloudsigma.com), says that different cloud implementations can have different boundaries in terms of client and provider responsibility and control.
"For instance, if a provider gives the client complete control over the software layer, the customer becomes able to largely manage their own security," Jenkins says. "It becomes a much tougher job for the provider if they take on the responsibility of securing their clients' implementations, since the provider may create rules that aren't applicable to every customer and may actually interfere with their computing. Security is very different from customer to customer, and a one-size-fits-all approach doesn't usually work, or is at least hard to manage effectively."
Some cloud providers deliver a secure path to their services and leave the rest of the security configuration and management to the customer. For businesses with capable staff, this can be a preferred approach, as it provides the flexibility and power to control cloud environments as desired. However, businesses without staff trained in security configurations, or without the manpower to handle these duties, may prefer cloud providers that deliver end-to-end security.
Return to: 2012 Feature Stories