Cloud

9/23/2016
01:00 PM
Terry Sweeney
Terry Sweeney
Slideshows
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

7 Ways Cloud Alters The Security Equation

Would-be and existing customers must understand that security isn't set-and-forget just because it resides in the cloud.
Previous
1 of 8
Next

Image Source: Wikimedia Commons
Image author: Adam Jones

Image Source: Wikimedia Commons

Image author: Adam Jones

By now, the pitch for cloud-based services is familiar to anyone in IT: They're cheaper, more efficient, and will free up in-house infosec professionals for more value-added tasks (yes, everyone's really going to miss reviewing log management data). 

The promises of highly automated functionality and trouble-free operations may be slightly overstated, at least where cloud-based security is concerned. But most infosec professionals are already masters of due diligence, and cloud is like any other external service provider: seasoned security pros know to ask a lot of questions, perform their own testing and audits, and get customer references for the real skinny on how cloud-based security goes.

Smart, reputable cloud service providers will encourage/require customers to undertake many of these steps we outline here, and then some. But it should be noted any time a provider balks at being transparent or at providing greater levels of access and discovery. The partnership nature of cloud is inherent when it's essentially an outsourced service; for something as strategic as security, customers are going to want lots of disclosure and trust upfront.

Whether you're entertaining cloud security or are already a customer, here are some basic ways that these third-party services change the ways infosec professionals have traditionally conducted themselves. The list is by no means exhaustive. And if we've missed something egregious, leave us a note in the comments section below! Let's make this a multi-party dialog.

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
10/4/2016 | 8:32:18 AM
Re: 192.168.0.1
Thanks! Nice post
Freesoft5
50%
50%
Freesoft5,
User Rank: Apprentice
9/24/2016 | 7:24:30 AM
McAfee Total
nice blog
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.