08:19 PM

5 Ways Cloud Services Can Soothe Security Fears In 2014

Companies need cloud providers to delineate responsibilities for the security of data, provide better security information, and encrypt data everywhere

Enterprise use of cloud services grew tremendously in 2013, but perceived security shortfalls continue to be the biggest block for companies in adopting the services.

For most industries, cloud services have already become part of the corporate infrastructure, either by design or, more often, by workers adopting cloud services without the approval of the IT department. Cloud-service assessment firm Skyhigh Networks, for example, adds approximately 500 cloud services to those that it already tracks, according to CEO and co-founder Rajiv Gupta.

"Employees are using cloud services almost with abandon, without assessing the risk of those services," Gupta says. For that reason, the security requirements will move front and center in 2014, he says. No wonder, then, that nearly half of all IT managers continue to be concerned about the security of their cloud resources, even though 35 percent believe the security of the cloud to be superior to on-premise deployments. One reason: Many cloud providers continue to fail to address the concerns of their clients, says Charles Burckmyer, president of security-service provider Sage Data Security, whose clients often work with the firm to assess the security of third-party cloud services.

"Clients need to build a structured approach to working with cloud vendors and have a process for creating permissible exceptions, assigning risks and mitigating that risk," he says. "Support around and by cloud services is vital for most clients today."

By opening a dialogue with their cloud providers, companies can create a secure hybrid infrastructure. Here are five topics that companies should discuss with their cloud providers in 2014, according to security experts.

1. Make security responsibilities clear.
Cloud-service providers continue to place the responsibility for securing business data on the client, while many clients assume that cloud services will take responsibility for the data stored in their services.

The gap in expectations narrowed in 2013 compared to previous years, but more than a third of customers still expect their software-as-a-service provider to secure the applications and data, according to a Ponemon Institute study released in March. Only 8 percent of companies assess the security of the applications using their information-technology and security teams, the study found.

While many industries have moved to the cloud without concern, security-conscious industries and those that have to comply with regulations are balking because cloud providers are not clarifying their risk, says Sage Data Security's Burckmyer.

"Cloud-vendor due diligence and understanding what your responsibilities are, as a client, and what your vendor is doing to support you in those responsibilities is a very necessary topic," he says. "There has been a reticence about moving to the cloud, from a regulatory and from a security standpoint, because many providers are not doing enough."

2. Design systems to provide meaningful log data.
Companies increasingly want to collect security information on what is happening to their data and applications out in the cloud. Yet many cloud providers do not supply detailed logs files or cannot adequately separate the events pertaining to one customer from those dealing with another.

"We need to make that the default standard practice, that there is a certain amount of logging information that is available proactively for all the different analytics that companies need to track," says Jim Reavis, CEO of the Cloud Security Alliance. "A big sore spot has been log file information, and that has been a sticking point."

[With cloud services collecting more data from businesses, firms should prepare for potential breaches that involve their providers. See Enterprises Should Practice For Cloud Security Breaches.]

Keeping audit logs of admin access is especially important, but most smaller cloud services do not provide such information.

3. Encryption needs to be pervasive.
Companies are not only demanding end-to-end encryption in the cloud, but increasingly asking for cloud providers to allow them to encrypt data on-premise before sending it to the cloud.

Cloud providers should not only work with their customers, but develop strong encryption solutions that allow the companies to be confident that their data is secure, while allowing some features to be preserved, says Sanjay Beri, CEO of cloud-service management firm Netskope.

"Encryption is the one thing that they, as an app provider, can do better than anyone in the middle," Beri says. "No one knows the app better than they do, and as long as they expose the keys to be managed by someone else, many customers will be very happy."

4. Alert users to anomalies.
Encryption, however, is not sufficient to protect a customer's data if an attacker has gained access to account credentials. For that reason, cloud providers must also maintain good anomaly detection systems and share the information and audit records from those systems with the client, says Skyhigh's Gupta.

"You need all these different tools to make sure that the cloud provider meets the customer's requirement," he says. "It is a layered approach."

5. Discuss protections from third-party access.
While cloud providers have to abide by the jurisdiction of the nation in which they do business and in which their data resides, the revelations about the massive data collection conducted by the U.S. National Security Agency and other nations' intelligence groups have left companies increasingly asking cloud providers about who requests data, how frequently, and whether the provider complies with the requests.

"It is very clear that providers need to help consumers understand how they manage and handle requests for information," says the CSA's Reavis. "Providers are not beginning to see that they need to put government requests are arm's length."

That clarity needs to extend to the ownership of the information as well, says Skyhigh's Gupta. Cloud providers need to emphasize that their clients' continue to own their own data, and be as explicit as possible about the provider's use of that data.

"How long do they keep your data? In some cases, they keep your data longer than you want them to, in others, they don't give you enough time to retrieve your data, if you leave the service," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Eddie Mayan
Eddie Mayan,
User Rank: Apprentice
1/20/2014 | 3:21:56 PM
re: 5 Ways Cloud Services Can Soothe Security Fears In 2014
Security concerns in Cloud Computing. CloudWays provides free consultancy to user fro cloud security.
Robert A.C590
Robert A.C590,
User Rank: Apprentice
12/18/2013 | 8:47:45 PM
re: 5 Ways Cloud Services Can Soothe Security Fears In 2014
"Keep government requests for data at arm's length"??? Good luck with that strategy if you are a corporation registered in the US. You can make the data more easily accessible directly from the customer if you 1) encrypt before sending to the cloud, as you suggest in #3, 2) have the customer exclusively maintain the key - opposite of what you suggest in #3, 3) ensure that the cloud provider has no technological or operational means to access the key, and 4) ensure this is spelled out in the T&C's. Several SaaS providers do this today.
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Mobile Malware Incidents Hit 100% of Businesses
Dawn Kawamoto, Associate Editor, Dark Reading,  11/17/2017
Register for Dark Reading Newsletters
White Papers
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.