Elsevier

Network Security

Volume 2008, Issue 12, December 2008, Pages 9-11
Network Security

Cloud Security
Danger in the clouds

https://doi.org/10.1016/S1353-4858(08)70140-5Get rights and content

Cloud computing is hot, but are we running ahead of our ability to ensure a secure environment? If you are smart, you have invested significant resources in securing the perimeter of your organisation. You feel safe behind the firewalls, DMZs, VPNs and fiercely enforced policies. Then along comes cloud computing and suddenly your users are keeping valuable and even business-critical data outside the perimeter, beyond your control. Scary, is it not?

Section snippets

Large target

There are important differences between cloud services and, say, an outsourced data centre, which will be in a readily identifiable location, on dedicated servers that are integrated into your own network.

“Traditional systems are masked behind firewalls, NATs, and other gateway boundaries, so attackers must do intensive intelligence gathering to know that they exist,” explains Greg Day, security analyst at McAfee. Cloud services, on the other hand, are highly visible and are designed to be

So what is the problem?

Gartner recently outlined seven security issues – privileged user access, regulatory compliance, data location, data segregation, recovery, investigative support, and long-term viability.1 Some of these concerns could be applied to any outsourced service, but there are cloud-specific security threats.

“The majority of the threats are going to come from conventional sources,” says Ken Munro, director of penetration and security testing company SecureTest. “You need to be able to log into the

Design flaws

You have to place a great deal of trust in the design of the system – not least in the access and authentication capabilities. This was highlighted when a flaw in a new indexing system at Zoho resulted in one user being able to read other users’ documents. Zoho says it fixed the issue within hours and only one user was affected. How many others found it, though, and failed to report it or even took advantage of it?

“You have to place a great deal of trust in the design of the system – not

Authentication and access

Typically, communication between users and cloud services is secured using SSL. It is a familiar technology – too familiar. Certificate warnings are treated by most users as a nuisance and they ignore them. They might not notice if they are logging on to a spoof site as the result of, say, a DNS poisoning exploit. Of course, the rogues who created the spoof site could also disable SSL to avoid the possibility of warnings.

Google has demonstrated the kind of authentication vulnerability that

Data governance

Given that cloud services are shared by many customers, you also need to worry about data segregation. In this kind of multi-tenancy arrangement, how certain are you that other customers cannot get at your information? It may be an unlikely scenario but what about who else has access to that data? Presumably, system administrators at the cloud vendor need access in order to run the system. As the Gartner report points out, these are “people who do not have a long-term commitment to your

Taking control

Underlying all this is the issue of who has control. Who has the responsibility for security and the ability to take action? Without clarifying this it is impossible to ensure adequate data governance.

If you run your own systems you can implement, test, and verify security measures to your own satisfaction. With a cloud service you are dependent on the service supplier to implement strong security and take appropriate and timely action when a problem occurs.

A cloud service provider will argue

What do you do?

There are no security standards specific to cloud computing. Worse, security is often addressed as an afterthought in the rush to adopt these technologies. Nevertheless, you can usefully apply conventional security concepts.

“This is a displacement of risk rather than additional risk,” says Gunter Ollmann, chief security strategist for IBM Internet Security Systems. “From my own professional penetration testing experiences, these larger applications tend to be orders of magnitude more secure

References (3)

  • J. Heiser et al.

    “Assessing the security risks of cloud computing.” Gartner, 3 June 2008

There are more references available in the full text version of this article.

Cited by (0)

View full text