7532 7531 Understanding the Challenges of Cloud Computing Security Spon With Ad New

8/6/2019 7532 7531 Understanding the Challenges of Cloud Computing Security Spon With Ad New

1/14an Security eBook

Understanding the

Security Challenges ofCloud Computing


2/14

2 Enterprise Cloud Computing: Risk and Economics

4 Cloud Computing Faces Security Challenges

6 Cloud Computing Requires Security Diligence

8 Three Steps to Secure Cloud Computing

10How Cloud Computing Security Resemblesthe Financial Meltdown

4

8

2

6

10

Contents

This content was adapted from Internet.coms Enterprise IT Planet, eSecurity Planet, CIOUpdate, and Datamation websites. Contributors: Sonny Discini, David Needle, Robert

McGarvey, and James Maguire.

Understanding the Security Challengesof Cloud Computing


3/14

2 Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, InBack to Contents


veryone is talking cloud these days, and

why not? The oerings are maturing, and

the benets are starting to appeal to

those who want to solve enterprise risk

and economic issues still on the table. Things like pay-

per-use models now have us looking at how we assess

hardware and sotware costs. You can now pay or onlywhat you use instead o buying a

ull application suite. But can the

economic and risk actors drive

enterprises over to ull cloud

deployments?

A New Way of DoingBusiness

As I just mentioned, the

enterprise now has a new way

o looking at the economics

o operational IT. This extends

rom core apps right down

to enterprise security. Cloud

computing is better at optimizing capital investments

because it enables lower capital investments in hardware,

sotware, and real estate; instead o investing in them,

enterprises procure cloud services. This signicantly

lowers total cost o ownership, which traditionally has

been a signicant cost to the enterprise.

When we think o large enterprise IT, we cannot let go

o the old assumption that it is slow to move when it

comes time to make a change. Cloud oerings may

crush this old adage. Cloud computing typically requires

signicantly less time and eort to provision additional

resources or existing applications or new resources

or new applications. The straightorward procurement

model and use o shared inrastructure also leads to

greater agility o the cloud computing model.

Another area where costs have been traditionally high

has been in IT talent. Cloud models will allow the

enterprise to tap talent pools or a raction o the cost o

retaining in-house sta. This will give IT pros heartburn,

but or those who are able to shit on the fy, IT pros willbe able to turn their ocus to

solving business problems. The

enterprise can then ully ocus on

business objectives and allocate

more resources to solve business

problems, even the ones that

were practically insolvable with

in-house sta. From another

angle, the cloud model now

gives small organizations

access to IT services and talentpreviously out o reach. The

small organization now has the

ability to tap the same level o

talent and services as the large

enterprises.

You Cannot Shift Risk

Cloud computing oers computing architectures and

innovation potential never beore seen in large and small

enterprises. It is important to understand that risk doesnot evaporate in the cloud; nor does it shit to the cloud

provider. Enterprise security proessionals have been

waving the red fag to C-level executives interested in

migrating to the cloud. Questions must be asked such as:

Whichrisksrelatedtoservicereliability,

availability, and security arise?

HowmuchcontrolcantheuserexertovertheIT

E

Enterprise Cloud Computing: Risk and EconomicsBy Sonny Discini


4/14



services provider?

Whatcontrolmustbegiventotheproviderand

what trust assurances exist?

Given that cloud models are new, even with the SLAs

provided today, an enterprise can quickly nd that what

it thought it was getting may not be the case at all. Legal

departments are also seeing cloud issues or the rst

time, so it is extremely important to involve all enterprise

teams when looking at cloud contracts, potential

litigation exposures, and o course security risks.

Cloud computing oers signicant benets to the

organization in terms o economics, agility, innovation,

simplicity, and even social impact. However, the devil

is in the details, and while there are many benets to

the cloud model, the trust and risk aspect o the cloud

is still widely unknown, and hence, very dangerous.

When enterprise architects and security pros design

controls around business processes, they will have

to take traditional tools and rene them to provide

sucient protection to the enterprise in this new dawn o

computing.


5/14



s cloud computing adoption hurt by security

issues, compliance concerns, or just a poorly

chosen name?

The worst thing we ever did was coin the term cloud,

which takes a business process and makes it sound ... out

there, said Thinkstrategies analyst Je Kaplan.

But John Weinschenk, CEO o security rm Cenzic, said

cloud security is ar more o a

pressing concern. Its actually

impossible to secure the [public]

cloud today, he said. You just

dont know i your inormation

is going to be processed in

Czechoslovakia or Russia, and

what theyre going to do with it.

And i anything goes wrong, whodo you sue?

John Desantis, CEO o identity

management provider Tricipher,

agreed. There is a thin veil that

is clearly being penetrated, he

said.

But Weinschenk and Desantis

made clear they were talking about public, consumer

service-style cloud providers. Weinschenk said the utureor enterprises lies in private and semi-private clouds that

are more closed systems where the security parameters

and service guarantees are known.

Nicholas Popp, vice president o product development

at domain management and security provider Verisign,

however, disagreed to the extent that he said companies

like his have the potential to make cloud services even

more secure than traditional datacenter solutions.

Customers think security is the cloud issue, but its really

a trust issue ... a governance issue, Popp said. Can I set

the policies I want to and impose them? And second, can

I veriy that the policy works? Its about governance and

control issues.

You never sell security, he added. You sell compliance

to those who need it. When

we look at people embracing

the cloud, its really rom the

big guys who control a private

cloud and can scale it to realize

the benets. The other buyers

are SMBs who are looking to

outsource everything.

Randy Barr, chie security ocer

at Qualys, said enterprises are

demanding their cloud service

providers oer greater visibility

to make it clear that the systems

are secure a service his rm

provides.

You can get scans o the cloud

system or vulnerabilities, he said. Were seeing more

transparency rom providers to meet this demand.

CIO Objections

Security isnt the only concern enterprise buyers have

about cloud computing systems, which in theory can save

an order o magnitude in costs over companies buying

and managing their own computing inrastructure.

I

Cloud Computing Faces Security ChallengesBy David Needle


6/14



From an enterprise perspective, the CIO wants to hold

o, said Joe Tobolski, a partner at Accenture Technology

Labs. But he warned that cloud services are already

popular, i you include social networks like Facebook

and Twitter as well as e-mail services like Gmail, in the

mix. These services are ridiculously easy to sign on to.

There is going to be a clash o the command and control

inrastructure that a lot o CIOs preer to those people

who want to get stu done.

Charles Carmel, vice president o corporate development

at Cisco, said that trends like the cloud and sotware-as-a-

service (SaaS) in particular are causing one o the largest

disruptions across the IT landscape.

But Marc Benio, CEO and ounder o one o the best

known and most successul SaaS providers, Salesorce.

com, conceded that the vast majority o sotware is still

with companies in their datacenters.

Thats the opportunity, Benio added. I try to educate

people because companies want to hold [us] back, like

the people that want to sell more servers.
http://assets.devx.com/IBM/Enhanceandsecurecriticalbusinessoperations.pdfhttp://assets.devx.com/IBM/Enhanceandsecurecriticalbusinessoperations.pdfhttp://assets.devx.com/IBM/Enhanceandsecurecriticalbusinessoperations.pdfhttp://assets.devx.com/IBM/Enhanceandsecurecriticalbusinessoperations.pdfhttp://assets.devx.com/IBM/Enhanceandsecurecriticalbusinessoperations.pdfhttp://assets.devx.com/IBM/Enhanceandsecurecriticalbusinessoperations.pdfhttp://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdfhttp://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdfhttp://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdfhttp://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdfhttp://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdfhttp://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdfhttp://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdfhttp://assets.devx.com/IBM/Secureandcompliantcollaborationandaccess.pdfhttp://assets.devx.com/IBM/EscapingPCIpurgatory.pdfhttp://assets.devx.com/IBM/Developeffectiveusermanagement.pdfhttp://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdfhttp://assets.devx.com/IBM/Enhanceandsecurecriticalbusinessoperations.pdf


7/14

The UlTimaTeenTerprise ThreaT and risk

managemenT plaTform.

The ArcSight ETRM Platform is the worlds most advanced system for safeguarding

your company against data theft, complying with policies and minimizing internal

and external risks. Finely tuned to combat cybertheft and cyberfraud, the ArcSight

ETRM Platform gives you better visibility of real-time events and better context for

risk assessment, resulting in reduced response time and costs.

ArcSight Headquarters: 1-888-415-ARST | 2010 ArcSight. All rights reserved.

Learn more at www.arcsight.com/etrm
http://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrm


8/14



foading IT inrastructure to a cloud

computing provider can result in great

cost savings and more streamlined, fexible

operations. Need more compute power

or storage? Cloud systems like Amazons readily scale

so theres no need to go through a time-consuming

purchasing process or scrambling to nd more room or

an expanded datacenter.

But the cloud is not a panacea,

and the need to adhere to

inormation management best

practices remains, Symantec

executive Deepak Mohan told

InternetNews.com.

Mohan should know.

In his position as senior vice

president o Symantecs

Inormation Management Group,

he oversees a range o products

and services including archiving

and backup o inormation

management and regularly

meets with enterprise customers.

The company also works with leading cloud providers like

Amazon to ensure their services are compatible.

He jokes that the cloud is very cloudy when it comes to

enterprise adoption as companies are still experimenting

with the best way to leverage it and eel condent their

data is secure. Mohan said hes requently seeing a hybrid

approach where companies rely on a cloud provider or

storage or certain applications, but also maintain on-

premise backup or security and recovery and to make

sure they can adhere to compliance requirements.

Inside the cloud, customers need the same level

o security and data protection, said Mohan. While

managed service providers oer service level agreements

(SLA) and security assurance, Mohan said companies can

and should take extra steps to ensure there inormation is

sae.

There are many security endpoints with cloud services

and thats where authentication becomes very important.

Its a big area o investment

or us, said Mohan, noting

Symantecs $1.28 billion purchase

o VeriSigns authentication

services unit.

Amazon is going to encrypt and

store your les, but the backup

data stream may be unencrypted

So things like security in transit

are services we provide that

support the hybrid, cloud and

on-premise use cases.

Mohan also said its important

or companies, particularly those

in highly-regulated industries

like nance and health, to be

sure their inormation on the cloud is organized both or

retention and compliance.

The cost o legal e-discovery can exceed government

nes. Its very expensive to do on a reactive basis and

lawyers love it because they charge by the hour and the

page, said Mohan. What you want to do is instrument

your inormation on the way in, not ater the act.

Symantec is one o many providers that have services

to index and protect data. Mohan said Symantecs

Enterprise Vault archiving platorm ollows the EDRM

(Electronic Discovery Reerence Model) and oers

Cloud Computing Requires Security DiligenceBy David Needle

O


9/14



dierent export ormats or outside council that are

admissible in court.

Some companies are ahead o the curve and moving

proactively to make sure their inormation is being

managed eectively, said Mohan. Another class o

companies really gets serious ater their rst litigation

request.


10/14

Find the cybercriminal.(Never mind. ArcSight Logger already did.)

Stop cybercriminals, enforce compliance and protect

your companys data with ArcSight Logger.

2010 ArcSight. All rights reserved.

Just downloaded the customer

database onto a thumb drive.

Learn more at www.arcsight.com/logger.


11/14



ou can close your eyes and pretend it is

not happening many CIOs are doing

exactly that but ace this reality: Cloud

computing is with us to stay. Everybody

will soon be using it.

At least this is the prediction o Jim Haskin, CIO at

Websense, a San Diego-based data security provider,

and others.

A scary thought? For many CIOs,

yes. They are panicking about

this, said Kirill Sheynkman, CEO

o San Francisco-based Elastra,

a developer o applications

currently deployed in association

with Amazons cloud computing

oering. The panic is well-

ounded, isnt it? Because o the

security concerns that come with

jumping the rewall?

Sheynkman snorts: Security

is not the issue. Do you think

your IT department knows more

about data security than Amazon

does?

Reality check: Data security in the cloud is no dierent

than data security at a remote data center, said John

Lytle, a senior consultant with IT consulting rm Compass

in Chicago.

In many cases, data at most companies are more at risk

in their own environment than in a well-managed cloud,

said Mike Eaton, CEO o Cloudworks, a Thousand Oaks,

Cali.-based provider o cloud-based services, primarily to

small and mid-sized businesses.

Capable Hands?

The big cloud players Amazon, Google, Oracle/

Sun, Salesorce.com know more than a little about

maintaining online security and, considered in that

context, worries about outsiders knocking down the

security walls and having their way with your data indeed

seem over-wrought. Theres been a lot o over-reaction,said Sheynkman.

The question should not be

about data security in the cloud,

elaborates Haskin. We need to

be asking other questions that

probe exactly why we are araid

o cloud computing and certainly

as a group, CIOs are resisting it.

But just maybe that has to end

because time to dither may berunning out or CIOs.

Bill Appleton, chie technical

ocer at Mountain View, Cali.-

based Dreamactory, a develope

o cloud-based applications,

ominously warns: The cloud

may skip IT and sell directly to end users. It might simply

bypass the command and control system o IT.

And that may be the legitimate worry. Thats becausea CIO nightmare revolves around unauthorized use o

public cloud resources by employees who may be putting

sensitive internal data online at Web-based spreadsheets

or into slide shows.

Most CIOs worry a lot about employees putting

data that shouldnt be public in public places, said

Christopher Day, senior vice president o security

Three Steps to Secure Cloud ComputingBy Robert McGarvey

Y


12/14



services at Terremark Worldwide, a global provider o IT

inrastructure. That ear is justied. What would the board

o directors say i it discovered the companys strategic

plan was accessible in a public cloud? But Day also

suggests that CIOs can snu out this potential restorm

simply by taking a direct approach.

Just put into place clear policies, then educate

employees about them, said Day.

Pull your head out o the sand (or clouds as the case may

be) and directly attack this concern. That is how to make

it vanish. Understand too that employees who upload

sensitive data usually mean well. They are just looking or

better ways to work. Look or other, more secure ways to

let them do exactly that, adds Day. Take those two steps

and most likely cloud-based shadow IT will diminish in

your organization.

Securing the Logon

Another, lingering worry about cloud computing is that

with many providers log-ons are too primitive.

Large enterprise will not embrace the cloud until

security signicantly improves, fatly predicts JohnGunn, general manager at Chicago-based Aladdin, a

developer o digital security tools. The worry here is that

when barebones log-ons are in use, old-ashioned social

engineering techniques will let hackers learn employee

log-ons and, watch out, data leakage will be at food

stage.

But, said Gunn, the solution is simple: enterprises

should only permit data to migrate to the cloud where

two-actor, strong authentication is in use and, right

there, hackers probably are kept at bay. Take just that

step, suggests Gunn, and considerable big company

opposition to cloud computing would instantly

evaporate. Most mainstream cloud providers are hanging

back on this but, suggests Gunn, when enough users cry

out or saeguards the cloud companies will respond.

Here Today

A nal, big worry, particularly in todays unstable

economy, is the durability o the cloud provider, said

Raimund Genes, CTO at Trend Micro, the globalsecurity company. You need a provider that will be in

business three years rom now. When you give up your

IT inrastructure, you need a reliable service provider.

When a cloud provider goes bankrupt how accessible is

your inormation, by whom? Better not to deal with such

questions at all by instead going with cloud providers that

have the wherewithal or a long-haul contest.

Parting advice or CIOs who are still wringing their

hands in worry over data in the cloud comes rom

Elastras Sheynkman who reminds us: Its not all ornothing. It does not have to be. Put only the data you

are comortable with on the cloud. That is what most

companies seem to be doing. We are still in an era o

experimentation.

Take it in little steps but start taking some steps, thats

the smart way to embrace the cloud.


13/14



How Cloud Computing Security

Resembles the Financial MeltdownBy James MaguireHmmm as a client o a cloud vendor, Im eeling

nervous. But SAS 70 really does mean something, doesnt

it? Well, probably.

More troubling, at this point you might have a moment o

dj vu. Wasnt a similar confict o interest at the heart o

the recent nancial meltdown?

In the view o Jay Heiser, a

Gartner analyst who specializes

in security, the connection is

clear. Hes the author o the

research report Analyzing

the Risk Dimensions o Cloud

and SaaS Computing. Ater

reading Michael Lewiss account

o the nancial debacle, The

Big Short, Heiser told me, I

ound more parallels between

what happened in the nancial

services and cloud computing

than I anticipated.

Lets rewind the tape a bit. A

distressing act about the Crash

o 2008 is that the major credit rating agencies the very

groups tasked with protecting investors were tacitly

complicit.

The two biggest ratings agencies, Moodys and Standard

& Poors, ailed to send up red fags about subprime

mortgage-backed securities. These supposedly impartial

watchdogs evaluate the credit worthiness o securities,

enabling investors to make inormed decisions. Yet

instead o labeling junk as junk, they bestowed a top AAA

grade on highly risky assets.

Shockingly, virtually all o the AAA-rated subprime-

mortgage-backed securities issued in 2006 have now

ow do you know i a cloud computing

vendor is secure?

Ater all, you trust them with highly

sensitive data and business critical processes. Your entire

business may rest on your ability to evaluate their level o

security.

When they make claims about

their nearly absolute level o

saety, should you just take their

word or it?

Goodness no, say the vendors,

weve got a third-party

certication to back up our

claims. Specically, they point to

their SAS 70 certication. SAS

70 is a set o auditing standards

used to measure the handling

o sensitive inormation. It was

created by the impressively

named American Institute o

Certied Public Accountants

(those olks know how to ll out

orms). SAS 70 was around beore cloud computing, and

has been shoehorned into use by vendors seeking an

impartial third-party credential to reassure nervous cloud

customers.

But heres where it gets dubious. Guess who writes a

check to the SAS 70 certiers? Believe it or not, its the

vendors themselves. I you were a cynical, non-trusting

type (which you should be i your companys data is at

stake) you might wonder i that is a confict o interest.

Dont accounting rms have a vested interest in granting

SAS 70 certications to those cloud computing vendors

who can pay or them?

H


14/14


been downgraded to a junk rating.

It was a clear confict o interest. These ratings agencies

are paid by the issuer o the security. Perhaps its not

surprising that they labeled some rotting sausage as

high-grade bee. I one o the agencies had threatened to

give a low (but accurate) rating, the issuer would simply

shop at another ratings agency. The system itsel was set

up to provide alse assurance.

Now back to cloud computing and SAS 70. OK, let me

get this straight: the cloud companies pay accounting

rms or SAS 70 certications just as the nancial

organizations paid Moodys or an investment-grade

rating?

Yes, i you see someone who claims to be SAS 70, they

have paid an accounting rm. Not only have they paid

an accounting rm to go do the test, but theyve told

the accounting rm what processes need to be tested,

Heiser says.

And you see a distressing number o providers that are

claiming, Well, were secure, or we have availability it s

proven by the act that we have a SAS 70.

This statement echoes a key nding that Heiser noted in

his report:

Third-party certifcations are immature, are unable to

address all aspects o cloud-computing risk, and should

be relied on only ater a thorough evaluation o the

written report.

To be air, a SAS 70 is likely more than a mere piece o

paper. It may prove more than the act that the vendorhas the money to hire an accounting rm. Perhaps it

should be thought o as a good starting point. Still,

the responsibility remains squarely on the client to

evaluate the SAS 70s written report and make their own

determination. Were the right controls included? Were

they evaluated to the appropriate degree?

In other words, buyer beware. You have to do your own

digging. From Heisers report:

Do not accept the claimed existence o a certifcation

or other third-party assessment as being adequate

proo o security and continuity ftness or purpose.

Thoroughly review the assessors written report to ensure

that the scope o evaluation is adequate, and that all

necessary processes and technologies were appropriately

addressed.

But is it IT?

An additional question bedevils the debate over cloud

security: Is SAS 70 even i administered by an impartialthird party (which its not) an insightul evaluation o a

cloud computing vendors security?

SAS 70 was never designed or this use, though in theory

it could address an IT risk scenario. Call me a cynic, but

SAS 70 is an auditing standard originally intended to be

used against processes relevant to nancial statements,

secondarily to nancial transactions, Heiser says.

So the thing starts very, very ar away rom anything

that would traditionally be considered an inormationsecurity or a business availability assessment. Its done by

accounting rms.

A common perception o the nancial evaluators involved

with alse credit ratings is that they were not the cream o

the Wall Street elite. Those brighter talents were pursing

vastly more remunerative activities.

In contrast, I would expect that whoever is doing a SAS

70 is a airly ambitious [staer] at a CPA rm, Heiser says.

Still, are they auditors? IT? Did they go to Purdue andget a Masters degree in Inormation Security? Whats

their background or all this?

The moral o this cautionary tale is best summed up with

a last key nding rom the Gartner report:

Be skeptical o vendor claims, and demand written or in-

person evidence.

Date post:	07-Apr-2018
Category:	Documents
Upload:	robert-atkins
View:	225 times
Download:	0 times

7532 7531 Understanding the Challenges of Cloud Computing Security Spon With Ad New

Documents