Perimeter

2/19/2013
11:02 AM
50%
50%

5 Overlooked Cloud-Based Compliance Dangers

Fully understanding risks helps avoid expensive surprises later

We all know the use of cloud-based resources is becoming increasingly common in organizations of all sizes. This can range from large-scale systems to small software-as-a-service tools. While convenient and sometimes quite cost-effective, this trend creates several compliance and data security dangers that are often overlooked. Here are five of the most serious issues:

1. Legal Liability: Whenever access to shared resources is constantly changing hands, ensuring the company is secure and compliant is like conducting an orchestra with musicians in different rooms. It takes extra effort to keep everyone on the same beat, otherwise the song (or security) falls apart. This applies with all shared resources, including hardware, software, or storage mediums.

2. Third-Party Validation: Unless you have complete control of your cloud-based assets, it is unlikely you can do much about how a cloud provider secures the data in their care. There are many data centers that make great efforts to obtain compliance certifications; however, you will probably be acting on faith that they remain secure and compliant.

3. Disclaimers Of Liability: The terms of a cloud provider's service-level agreement (SLA) normally states that the provider accepts no liability for data breaches. This is understandable from their perspective because the cost and effort to manage and track everyone involved in the hosting and use of the servers would be incredibly challenging. The bottom line is, when there's a data security breach, the cloud provider is not at risk, but your company is.

4. Application Interoperability: Moving data between secure systems and databases can create points of greater risk or exposure. Standardization can help solve this problem, but our experience is that a large number of system interfaces are still custom-built and often lack security that is as robust as the applications themselves.

5. Application Mismatched To Laws And Regulations: Many regulations and laws, such as HIPAA, require that access to private data be limited to the minimum number of necessary data fields required for a specific purpose. This level of granular detail is not a function of the cloud, but instead a function of the cloud-based application. Many such applications, particularly if they were originally designed for more general-purpose use, are not capable of meeting such compliance needs.

Unless you have invested in a private cloud in your own facilities, your organization may have little control over the security and monitoring of your system that you've placed in a cloud environment. However, an inventory of covered data points, periodic privacy, and security assessments, and a response plan for breaches can go a long way toward demonstrating compliance efforts that will mitigate the impact of a data breach.

Glenn S. Phillips is not sure if he is an overlooked danger. He is the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks within. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.