Cloud
11/15/2013
08:00 AM
Frank Ohlhorst
Frank Ohlhorst
Commentary
50%
50%

Avoid The Bermuda Triangle of Cloud Security

As cloud services permeate the enterprise, security still inhabits the unknown. Can enterprises venture into cloud-based security without traversing a Bermuda triangle of doubt?

Enterprises are turning to the cloud for all sorts of permutations of the family of cloud services. Although these services may lighten the load on corporate data centers and simplify administration, support, and provisioning, there is what some may call a dark side, which amounts to securing those scattered services and protecting the data that traverses the heterogeneous networks that may lie between.

Naturally, cloud services providers have an answer, one that implies a self-severing nature -- security-as-a-service, or SECaaS -- where security is outsourced to a host (or provider). While it may sound like an ideal methodology for removing the burdens of security management from internal IT, and fully leveraging what the cloud has to offer, there are some things IT managers need to consider before signing on the dotted line.

First and foremost is defining exactly what the SECaaS offers in the form of security -- and that may take delving deeper into the service-level agreements (SLAs) that accompany a given service. For example, does the offering include firewall (and firewall management), VPN (site-to-site, user-to-app, etc.), intrusion prevention, intrusion detection, anti-malware, user authentication, auditing, traffic analysis, and so on?

In other words, it's critically important to verify that SECaaS offers 360 degrees of protection, because any missed element could quickly lead to a breach.

It's also very important to determine the level of responsibility of the SECaaS vendor, asking questions such as:

  • Who maintains the system?
  • Who has patching responsibilities?
  • Who provisions new users?
  • Who audits system security?

These questions should all be represented in the SLA, and more importantly -- vetted by corporate IT.

The real challenge with cloud-based or hosted security is not the technology itself, but how it's used. Many corporate entities do not leverage capabilities to their fullest, which creates an environment where a breach becomes not only possible, but inevitable.

That has blackened the eye of cloud security offerings. However, improper use of services has not been the only culprit here; many vendors have also made missteps on the path to hosted security, creating disasters of their own making, which in turn has cast a negative light on hosted security.

Yet vendors are learning from their mistakes, advancing the technologies to create hybrid offerings, such as those managed security solutions that incorporate endpoint security with a premise security appliance. This is connected to the cloud services provider for updating, management, monitoring, and so on.

The idea here is to abstract security from centralized processing and then distribute security technologies to the various endpoints and parts of the network that control traffic. At the same time, there is still central management, and a control console to consolidate and unify security management.

As vendors improve their hosted offerings and integrate more security capabilities, SECaas will become more viable for enterprises, and at that point the conversation can switch to budgetary concerns, such as return on investment (ROI) and total cost of ownership (TCO), which will become the primary motivators to move security into the cloud.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
11/16/2013 | 6:59:21 PM
Security as a Service
Some security technologies work well in the hosted model, such as URL filtering and email security; both of those have fairly long track records. Less proven cloud-based security services include identity & access management.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7437
Published: 2015-03-29
Multiple integer overflows in potrace 1.11 allow remote attackers to cause a denial of service (crash) via large dimensions in a BMP image, which triggers a buffer overflow.

CVE-2013-7438
Published: 2015-03-29
Multiple buffer overflows in pbm212030 allow remote attackers to cause a denial of service (crash) or possible execute arbitrary code via a crafted PBM image, related to (1) stream line data, which triggers a heap-based buffer overflow, or (2) vectors related to an "internal intermediate heap-based ...

CVE-2014-5427
Published: 2015-03-29
Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read pa...

CVE-2014-5428
Published: 2015-03-29
Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integratio...

CVE-2014-9205
Published: 2015-03-29
Stack-based buffer overflow in the PmBase64Decode function in an unspecified demonstration application in MICROSYS PROMOTIC stable before 8.2.19 and PROMOTIC development before 8.3.2 allows remote attackers to execute arbitrary code by providing a large amount of data.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.