Cloud
11/15/2013
08:00 AM
Frank Ohlhorst
Frank Ohlhorst
Commentary
50%
50%

Avoid The Bermuda Triangle of Cloud Security

As cloud services permeate the enterprise, security still inhabits the unknown. Can enterprises venture into cloud-based security without traversing a Bermuda triangle of doubt?

Enterprises are turning to the cloud for all sorts of permutations of the family of cloud services. Although these services may lighten the load on corporate data centers and simplify administration, support, and provisioning, there is what some may call a dark side, which amounts to securing those scattered services and protecting the data that traverses the heterogeneous networks that may lie between.

Naturally, cloud services providers have an answer, one that implies a self-severing nature -- security-as-a-service, or SECaaS -- where security is outsourced to a host (or provider). While it may sound like an ideal methodology for removing the burdens of security management from internal IT, and fully leveraging what the cloud has to offer, there are some things IT managers need to consider before signing on the dotted line.

First and foremost is defining exactly what the SECaaS offers in the form of security -- and that may take delving deeper into the service-level agreements (SLAs) that accompany a given service. For example, does the offering include firewall (and firewall management), VPN (site-to-site, user-to-app, etc.), intrusion prevention, intrusion detection, anti-malware, user authentication, auditing, traffic analysis, and so on?

In other words, it's critically important to verify that SECaaS offers 360 degrees of protection, because any missed element could quickly lead to a breach.

It's also very important to determine the level of responsibility of the SECaaS vendor, asking questions such as:

  • Who maintains the system?
  • Who has patching responsibilities?
  • Who provisions new users?
  • Who audits system security?

These questions should all be represented in the SLA, and more importantly -- vetted by corporate IT.

The real challenge with cloud-based or hosted security is not the technology itself, but how it's used. Many corporate entities do not leverage capabilities to their fullest, which creates an environment where a breach becomes not only possible, but inevitable.

That has blackened the eye of cloud security offerings. However, improper use of services has not been the only culprit here; many vendors have also made missteps on the path to hosted security, creating disasters of their own making, which in turn has cast a negative light on hosted security.

Yet vendors are learning from their mistakes, advancing the technologies to create hybrid offerings, such as those managed security solutions that incorporate endpoint security with a premise security appliance. This is connected to the cloud services provider for updating, management, monitoring, and so on.

The idea here is to abstract security from centralized processing and then distribute security technologies to the various endpoints and parts of the network that control traffic. At the same time, there is still central management, and a control console to consolidate and unify security management.

As vendors improve their hosted offerings and integrate more security capabilities, SECaas will become more viable for enterprises, and at that point the conversation can switch to budgetary concerns, such as return on investment (ROI) and total cost of ownership (TCO), which will become the primary motivators to move security into the cloud.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
11/16/2013 | 6:59:21 PM
Security as a Service
Some security technologies work well in the hosted model, such as URL filtering and email security; both of those have fairly long track records. Less proven cloud-based security services include identity & access management.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6477
Published: 2014-11-23
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4...

CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?