Cloud
11/15/2013
08:00 AM
Frank Ohlhorst
Frank Ohlhorst
Commentary
50%
50%

Avoid The Bermuda Triangle of Cloud Security

As cloud services permeate the enterprise, security still inhabits the unknown. Can enterprises venture into cloud-based security without traversing a Bermuda triangle of doubt?

Enterprises are turning to the cloud for all sorts of permutations of the family of cloud services. Although these services may lighten the load on corporate data centers and simplify administration, support, and provisioning, there is what some may call a dark side, which amounts to securing those scattered services and protecting the data that traverses the heterogeneous networks that may lie between.

Naturally, cloud services providers have an answer, one that implies a self-severing nature -- security-as-a-service, or SECaaS -- where security is outsourced to a host (or provider). While it may sound like an ideal methodology for removing the burdens of security management from internal IT, and fully leveraging what the cloud has to offer, there are some things IT managers need to consider before signing on the dotted line.

First and foremost is defining exactly what the SECaaS offers in the form of security -- and that may take delving deeper into the service-level agreements (SLAs) that accompany a given service. For example, does the offering include firewall (and firewall management), VPN (site-to-site, user-to-app, etc.), intrusion prevention, intrusion detection, anti-malware, user authentication, auditing, traffic analysis, and so on?

In other words, it's critically important to verify that SECaaS offers 360 degrees of protection, because any missed element could quickly lead to a breach.

It's also very important to determine the level of responsibility of the SECaaS vendor, asking questions such as:

  • Who maintains the system?
  • Who has patching responsibilities?
  • Who provisions new users?
  • Who audits system security?

These questions should all be represented in the SLA, and more importantly -- vetted by corporate IT.

The real challenge with cloud-based or hosted security is not the technology itself, but how it's used. Many corporate entities do not leverage capabilities to their fullest, which creates an environment where a breach becomes not only possible, but inevitable.

That has blackened the eye of cloud security offerings. However, improper use of services has not been the only culprit here; many vendors have also made missteps on the path to hosted security, creating disasters of their own making, which in turn has cast a negative light on hosted security.

Yet vendors are learning from their mistakes, advancing the technologies to create hybrid offerings, such as those managed security solutions that incorporate endpoint security with a premise security appliance. This is connected to the cloud services provider for updating, management, monitoring, and so on.

The idea here is to abstract security from centralized processing and then distribute security technologies to the various endpoints and parts of the network that control traffic. At the same time, there is still central management, and a control console to consolidate and unify security management.

As vendors improve their hosted offerings and integrate more security capabilities, SECaas will become more viable for enterprises, and at that point the conversation can switch to budgetary concerns, such as return on investment (ROI) and total cost of ownership (TCO), which will become the primary motivators to move security into the cloud.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
11/16/2013 | 6:59:21 PM
Security as a Service
Some security technologies work well in the hosted model, such as URL filtering and email security; both of those have fairly long track records. Less proven cloud-based security services include identity & access management.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4293
Published: 2015-07-30
The packet-reassembly implementation in Cisco IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (CPU consumption or packet loss) via fragmented (1) IPv4 or (2) IPv6 packets that trigger ATTN-3-SYNC_TIMEOUT errors after reassembly failures, aka Bug ID CSCuo37957.

CVE-2014-7912
Published: 2015-07-29
The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products, does not validate the relationship between length fields and the amount of data, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory c...

CVE-2014-7913
Published: 2015-07-29
The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other products, misinterprets the return value of the snprintf function, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corru...

CVE-2015-2977
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to create arbitrary files, and consequently execute arbitrary code, via unspecified vectors.

CVE-2015-2978
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to bypass authentication and complete a conference-room reservation via unspecified vectors, as demonstrated by an "unintentional reservation."

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!