Cloud
11/15/2013
08:00 AM
Frank Ohlhorst
Frank Ohlhorst
Commentary
50%
50%

Avoid The Bermuda Triangle of Cloud Security

As cloud services permeate the enterprise, security still inhabits the unknown. Can enterprises venture into cloud-based security without traversing a Bermuda triangle of doubt?

Enterprises are turning to the cloud for all sorts of permutations of the family of cloud services. Although these services may lighten the load on corporate data centers and simplify administration, support, and provisioning, there is what some may call a dark side, which amounts to securing those scattered services and protecting the data that traverses the heterogeneous networks that may lie between.

Naturally, cloud services providers have an answer, one that implies a self-severing nature -- security-as-a-service, or SECaaS -- where security is outsourced to a host (or provider). While it may sound like an ideal methodology for removing the burdens of security management from internal IT, and fully leveraging what the cloud has to offer, there are some things IT managers need to consider before signing on the dotted line.

First and foremost is defining exactly what the SECaaS offers in the form of security -- and that may take delving deeper into the service-level agreements (SLAs) that accompany a given service. For example, does the offering include firewall (and firewall management), VPN (site-to-site, user-to-app, etc.), intrusion prevention, intrusion detection, anti-malware, user authentication, auditing, traffic analysis, and so on?

In other words, it's critically important to verify that SECaaS offers 360 degrees of protection, because any missed element could quickly lead to a breach.

It's also very important to determine the level of responsibility of the SECaaS vendor, asking questions such as:

  • Who maintains the system?
  • Who has patching responsibilities?
  • Who provisions new users?
  • Who audits system security?

These questions should all be represented in the SLA, and more importantly -- vetted by corporate IT.

The real challenge with cloud-based or hosted security is not the technology itself, but how it's used. Many corporate entities do not leverage capabilities to their fullest, which creates an environment where a breach becomes not only possible, but inevitable.

That has blackened the eye of cloud security offerings. However, improper use of services has not been the only culprit here; many vendors have also made missteps on the path to hosted security, creating disasters of their own making, which in turn has cast a negative light on hosted security.

Yet vendors are learning from their mistakes, advancing the technologies to create hybrid offerings, such as those managed security solutions that incorporate endpoint security with a premise security appliance. This is connected to the cloud services provider for updating, management, monitoring, and so on.

The idea here is to abstract security from centralized processing and then distribute security technologies to the various endpoints and parts of the network that control traffic. At the same time, there is still central management, and a control console to consolidate and unify security management.

As vendors improve their hosted offerings and integrate more security capabilities, SECaas will become more viable for enterprises, and at that point the conversation can switch to budgetary concerns, such as return on investment (ROI) and total cost of ownership (TCO), which will become the primary motivators to move security into the cloud.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
11/16/2013 | 6:59:21 PM
Security as a Service
Some security technologies work well in the hosted model, such as URL filtering and email security; both of those have fairly long track records. Less proven cloud-based security services include identity & access management.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9676
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

CVE-2014-9682
Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

CVE-2015-0655
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

CVE-2015-0884
Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

CVE-2015-0885
Published: 2015-02-27
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.