Feature Story

Security Risks in Cloud Computing – A Few Words to the Wise

Many companies greatly underestimate the security issues in the cloud and end up trying to protect their servers only with a firewall, if even that. Because the cloud is being approached as a way to save money by reducing hardware rather than by improving efficiency, the idea of deploying security in the cloud is too often overlooked as an expensive and unnecessary luxury. This is heaven for the hackers, who couldn't ask for anything better than an environment full of servers that aren't protected.

A decade ago, security was generally seen as a firewall and, maybe, antivirus on the workstations. This is no longer acceptable. Various gateway protections have now emerged. In the meantime unified threat management (UTM) devices appeared on the market and they started integrating all these technologies together. Network security today can be very strong; but too many companies are not adopting the same at the virtual level.

For one thing, in the virtual world you can't install your own device. So you need to use what is available as a virtual solution.

But most of the other offers, which customers can manage themselves, are just firewalls. And this poses a problem and a risk. A firewall is only a starting point, and definitely not the "entire" security you need to protect a network. You need to install your own open source code, compile it, configure it. Where are the savings when your people need to spend so much time securing everything? And so it happens that security becomes secondary because it is seen as too expensive to be done properly.

What makes matters even worse is the generalized lack of appropriate processes and procedures to deal with the cloud. When you move your data in the cloud, you need to ensure that access controls are as strong as they can be; you also need to reinforce your database even more than when you have it in house; and you need to define very clearly who has access to what and why. The same processes and procedures you use inside your company need to apply to the cloud.

The best way to protect your cloud is to adopt an integrated solution; this will deliver the best security available in traditional environments, and allow for full protection of the cloud servers and data. Connection from the company's network to the cloud should never be made other than through a Virtual Private Network (VPN). Inbound access from the Internet to the servers should be tightly controlled, and allowed only from specific IPs if possible, and only if and when necessary.

Access outbound, to the Internet, should be controlled as well by opening only the ports that are really needed, which in most cases will be only domain, http, https and maybe a handful of ports to reach some authorization or authentication server, if really necessary (these should be restricted to the IPs of the remote servers).

The bottom line is that too many companies are adopting lackluster security postures in the cloud because they are trying to contain costs. In doing so they are putting their data in danger. At a minimum, their servers could become either zombies of botnets, or command and control centers of the same. But they could also lose their data and this could compromise the sheer existence of their company.

The situation could be even worse for those environments where the provider is not really selling infrastructure as such, but some sort of predefined service.

For example, when you move your email to a cloud-based service, you are trusting that they are really scanning for viruses and spam, and doing so very well. That is the case for a few companies, which have been in that business for very long and only do cloud based email and related security. But too many companies are 'inventing' themselves into this business today, and the security in this case is not optimal.

If you are adopting one such service, ensure you have email security at your gateway as well, and rescan your mail – it does not hurt to scan more than once!

Pierluigi Stella is CTO of Network Box USA Inc., the North American arm of Network Box Corp. After 15 years at IBM, he co-founded Network Box USA, where he has gained extensive knowledge of security issues as head of both the technical and customer service divisions. He can reached at www.networkboxusa.com.

Return to: 2012 Feature Stories