Cloud Security Falls Short ... But Could Be GreatA combination of immature security tools, weak partnerships, and a lack of strong commitment to security leaves cloud service firms short of providing strong protections
SAN FRANCISCO -- RSA CONFERENCE 2013 -- Public cloud services could have better security than the vast majority of corporate on-premise networks, but today's tools fail to provide needed protections, and providers and security firms fall short of the cooperation necessary to build security into the cloud.
Companies need to improve the performance of security tools that run in the cloud, add multitenancy, and make the management of cloud infrastructure easier, David Apsrey, vice president of cloud security for Trend Micro, told attendees during the Cloud Security Alliance (CSA) Summit, which took place the day before the start of the RSA Conference. Cloud service providers need to give security higher priority in their businesses, while security companies need to provide tools that are created to thrive in highly virtualized environments, he said.
"It's time to rethink cloud security tools and technology so it works better with cloud service providers," Asprey said. "If we hit this right, then the cloud providers and the security providers work together and create a much better security feedback loop."
More than half of all respondents in a recent Trend Micro survey listed security as the reason they felt hesitant about moving to the cloud. No wonder: While some cloud providers accept shared responsibility for data in the cloud, the customer ended up with the actual responsibility, Asprey said.
Security firms need to build their software to natively work with multitenant systems and not slow processing in the cloud. It is unreasonable and inefficient to require that security software be installed in every virtual machine because that bogs down the cloud services' servers, Asprey said.
In addition, security firms need to provide their software on a more agile development cycle.
"Software providers typically have development cycles that last six or nine months, if not longer," he said. "Cloud threats -- cybercriminals -- move at cloud speed."
[With nearly half of IT managers avoiding cloud services over worries that their data will be leaked, it is time for cloud providers to become more transparent. See Cloud Security Measures Too Opaque For Customers.]
Another major problem with the cloud is that many services are architected to allow anyone with administrative privilege the ability to access all the data. A single breach -- or a malicious insider -- could give attackers complete control over the data of the provider's customers, said Oded Horovitz, founder and CEO of PrivateCore, a maker of secure virtual machine software for cloud applications.
"Cloud systems are built so that once you are in a certain perimeter, you are in," he said.
The virtual servers that run cloud applications typically rely on a tenuous web of trust. PrivateCore uses features of currently available trusted processors to verify the trust of the lowest common denominator, the CPU.
Other security experts highlighted the cloud's ability to concentrate risk -- and the danger that such a concentration entails.
"With the advent of cloud and the concentration of resources, you have created a single point of failure," said Alan LeFort, vice president of product management for virtualization management firm HyTrust.
While that concentration makes managing cloud resources more efficient, cloud service providers need to mitigate the worst-case scenarios, LeFort said.
"The security part has not evolve yet to the point that it is not in the way," LeFort said. "The cloud can be more secure with the right level of controls and the right level of automation."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.