Cloud
2/26/2013
03:27 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Cloud Security Falls Short ... But Could Be Great

A combination of immature security tools, weak partnerships, and a lack of strong commitment to security leaves cloud service firms short of providing strong protections

SAN FRANCISCO -- RSA CONFERENCE 2013 -- Public cloud services could have better security than the vast majority of corporate on-premise networks, but today's tools fail to provide needed protections, and providers and security firms fall short of the cooperation necessary to build security into the cloud.

RSA Conference 2013
Click here for more articles.

Companies need to improve the performance of security tools that run in the cloud, add multitenancy, and make the management of cloud infrastructure easier, David Apsrey, vice president of cloud security for Trend Micro, told attendees during the Cloud Security Alliance (CSA) Summit, which took place the day before the start of the RSA Conference. Cloud service providers need to give security higher priority in their businesses, while security companies need to provide tools that are created to thrive in highly virtualized environments, he said.

"It's time to rethink cloud security tools and technology so it works better with cloud service providers," Asprey said. "If we hit this right, then the cloud providers and the security providers work together and create a much better security feedback loop."

More than half of all respondents in a recent Trend Micro survey listed security as the reason they felt hesitant about moving to the cloud. No wonder: While some cloud providers accept shared responsibility for data in the cloud, the customer ended up with the actual responsibility, Asprey said.

Security firms need to build their software to natively work with multitenant systems and not slow processing in the cloud. It is unreasonable and inefficient to require that security software be installed in every virtual machine because that bogs down the cloud services' servers, Asprey said.

In addition, security firms need to provide their software on a more agile development cycle.

"Software providers typically have development cycles that last six or nine months, if not longer," he said. "Cloud threats -- cybercriminals -- move at cloud speed."

[With nearly half of IT managers avoiding cloud services over worries that their data will be leaked, it is time for cloud providers to become more transparent. See Cloud Security Measures Too Opaque For Customers.]

Another major problem with the cloud is that many services are architected to allow anyone with administrative privilege the ability to access all the data. A single breach -- or a malicious insider -- could give attackers complete control over the data of the provider's customers, said Oded Horovitz, founder and CEO of PrivateCore, a maker of secure virtual machine software for cloud applications.

"Cloud systems are built so that once you are in a certain perimeter, you are in," he said.

The virtual servers that run cloud applications typically rely on a tenuous web of trust. PrivateCore uses features of currently available trusted processors to verify the trust of the lowest common denominator, the CPU.

Other security experts highlighted the cloud's ability to concentrate risk -- and the danger that such a concentration entails.

"With the advent of cloud and the concentration of resources, you have created a single point of failure," said Alan LeFort, vice president of product management for virtualization management firm HyTrust.

While that concentration makes managing cloud resources more efficient, cloud service providers need to mitigate the worst-case scenarios, LeFort said.

"The security part has not evolve yet to the point that it is not in the way," LeFort said. "The cloud can be more secure with the right level of controls and the right level of automation."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
BrainmanK
50%
50%
BrainmanK,
User Rank: Apprentice
4/25/2013 | 4:00:41 PM
re: Cloud Security Falls Short ... But Could Be Great
The objective is to stay one step ahead and it's very successfully implemented intensive web research
BrainmanK
50%
50%
BrainmanK,
User Rank: Apprentice
4/25/2013 | 3:58:09 PM
re: Cloud Security Falls Short ... But Could Be Great
could you also use more than one protection program? or would it lag your systems too much?
BrainmanK
50%
50%
BrainmanK,
User Rank: Apprentice
4/25/2013 | 3:57:24 PM
re: Cloud Security Falls Short ... But Could Be Great
just devote more processing power too it and then design more computer chips with nano tech. wait how come we arnt doing this yet ... or have we tried humanity?
Jumpto
50%
50%
Jumpto,
User Rank: Apprentice
3/1/2013 | 6:44:23 PM
re: Cloud Security Falls Short ... But Could Be Great
I never stated that ALL the security issues were solved. My problem was and still is a description of a landscape devoid of security options when the truth is that there are many security solutions out there which have been out there for years. Jumpto is only one. You would think that anyone writing about this industry would be aware of a few of them.
Wstr
50%
50%
Wstr,
User Rank: Apprentice
2/27/2013 | 6:47:25 PM
re: Cloud Security Falls Short ... But Could Be Great
There are serious security hurdles to clear, particularly for specific types of sensitive data and the regulations involved. Some statements here are correct that there are workarounds - but by the time I go through all those layers of configuration, testing and monitoring, how did I gain anything over running services in my own private cloud infrastructure already in my own data center? Right now, cloud seems a much better option for a new enterprise that buys a big Internet pipe and creates secure connection to 3rd party so they don't have to build their own infrastructure. Even then, I would want to make sure I have a provider that supports open standards allowing me to move my services, intact, to another provider: it is the same old story as any other service - address cost, risks/benefits, and avoid lock-in ! I don't think all three factors are quite there for everyone - just for some needs as appropriate.
11mike74
50%
50%
11mike74,
User Rank: Apprentice
2/27/2013 | 6:00:08 PM
re: Cloud Security Falls Short ... But Could Be Great
Cloud security/applications have been around for a few years and being new people are hesitant to make the move into a new technology platform. However, with recent trends-Šset by IBM, HP and-Šothers,-Špeople are starting to see the-Šadvantages. The Cloud platform-Štoday is not for everybody-Šand people are comfortable with how they operate now and eventually this will change.
s12
50%
50%
s12,
User Rank: Apprentice
2/27/2013 | 1:41:43 PM
re: Cloud Security Falls Short ... But Could Be Great
G«Š We made specific mention of cloud security months prior, stating that many would be hesitant to intergrate, or use this.
11mike74
50%
50%
11mike74,
User Rank: Apprentice
2/27/2013 | 1:33:39 PM
re: Cloud Security Falls Short ... But Could Be Great
Charlie, I agree that Internet Security is based on fear as served up by Security vendors. The old approach has a reactive stance to where companies wait for an incident then react to it and scare the hell out of people. Jumpto, on the other hand, takes a proactive approach up front. All security problems-Šwill never be solved due to the nature of the Internet. The objective is to stay one step ahead and it's very successfully implemented.
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
2/27/2013 | 12:13:52 AM
re: Cloud Security Falls Short ... But Could Be Great
Yes, the security firms push an agenda of fear, but I have yet to see the case where a little fear wasn't justified. I do not believe every security problem has been solved once and for all in the cloud, as Jumpto seems to, but I do think the cloud is a setting in which security will, in the long run, be easier to implement and maintain effectively. Charlie Babcock, InformationWeek
11mike74
50%
50%
11mike74,
User Rank: Apprentice
2/26/2013 | 7:52:51 PM
re: Cloud Security Falls Short ... But Could Be Great
Very good article and research. Mainstream Cloud Security still has a way to go before it is ready for general use. However, Personal Private clouds, with extensive security are currently available and are bieng offered to the Journalists and Reporters industry. This can be found at securereporter.ca. Highly developed system
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web