Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Cloud Security Falls Short ... But Could Be Great

A combination of immature security tools, weak partnerships, and a lack of strong commitment to security leaves cloud service firms short of providing strong protections

SAN FRANCISCO -- RSA CONFERENCE 2013 -- Public cloud services could have better security than the vast majority of corporate on-premise networks, but today's tools fail to provide needed protections, and providers and security firms fall short of the cooperation necessary to build security into the cloud.

RSA Conference 2013
Click here for more articles.

Companies need to improve the performance of security tools that run in the cloud, add multitenancy, and make the management of cloud infrastructure easier, David Apsrey, vice president of cloud security for Trend Micro, told attendees during the Cloud Security Alliance (CSA) Summit, which took place the day before the start of the RSA Conference. Cloud service providers need to give security higher priority in their businesses, while security companies need to provide tools that are created to thrive in highly virtualized environments, he said.

"It's time to rethink cloud security tools and technology so it works better with cloud service providers," Asprey said. "If we hit this right, then the cloud providers and the security providers work together and create a much better security feedback loop."

More than half of all respondents in a recent Trend Micro survey listed security as the reason they felt hesitant about moving to the cloud. No wonder: While some cloud providers accept shared responsibility for data in the cloud, the customer ended up with the actual responsibility, Asprey said.

Security firms need to build their software to natively work with multitenant systems and not slow processing in the cloud. It is unreasonable and inefficient to require that security software be installed in every virtual machine because that bogs down the cloud services' servers, Asprey said.

In addition, security firms need to provide their software on a more agile development cycle.

"Software providers typically have development cycles that last six or nine months, if not longer," he said. "Cloud threats -- cybercriminals -- move at cloud speed."

[With nearly half of IT managers avoiding cloud services over worries that their data will be leaked, it is time for cloud providers to become more transparent. See Cloud Security Measures Too Opaque For Customers.]

Another major problem with the cloud is that many services are architected to allow anyone with administrative privilege the ability to access all the data. A single breach -- or a malicious insider -- could give attackers complete control over the data of the provider's customers, said Oded Horovitz, founder and CEO of PrivateCore, a maker of secure virtual machine software for cloud applications.

"Cloud systems are built so that once you are in a certain perimeter, you are in," he said.

The virtual servers that run cloud applications typically rely on a tenuous web of trust. PrivateCore uses features of currently available trusted processors to verify the trust of the lowest common denominator, the CPU.

Other security experts highlighted the cloud's ability to concentrate risk -- and the danger that such a concentration entails.

"With the advent of cloud and the concentration of resources, you have created a single point of failure," said Alan LeFort, vice president of product management for virtualization management firm HyTrust.

While that concentration makes managing cloud resources more efficient, cloud service providers need to mitigate the worst-case scenarios, LeFort said.

"The security part has not evolve yet to the point that it is not in the way," LeFort said. "The cloud can be more secure with the right level of controls and the right level of automation."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
BrainmanK
50%
50%
BrainmanK,
User Rank: Apprentice
4/25/2013 | 4:00:41 PM
re: Cloud Security Falls Short ... But Could Be Great
The objective is to stay one step ahead and it's very successfully implemented intensive web research
BrainmanK
50%
50%
BrainmanK,
User Rank: Apprentice
4/25/2013 | 3:58:09 PM
re: Cloud Security Falls Short ... But Could Be Great
could you also use more than one protection program? or would it lag your systems too much?
BrainmanK
50%
50%
BrainmanK,
User Rank: Apprentice
4/25/2013 | 3:57:24 PM
re: Cloud Security Falls Short ... But Could Be Great
just devote more processing power too it and then design more computer chips with nano tech. wait how come we arnt doing this yet ... or have we tried humanity?
Jumpto
50%
50%
Jumpto,
User Rank: Apprentice
3/1/2013 | 6:44:23 PM
re: Cloud Security Falls Short ... But Could Be Great
I never stated that ALL the security issues were solved. My problem was and still is a description of a landscape devoid of security options when the truth is that there are many security solutions out there which have been out there for years. Jumpto is only one. You would think that anyone writing about this industry would be aware of a few of them.
Wstr
50%
50%
Wstr,
User Rank: Apprentice
2/27/2013 | 6:47:25 PM
re: Cloud Security Falls Short ... But Could Be Great
There are serious security hurdles to clear, particularly for specific types of sensitive data and the regulations involved. Some statements here are correct that there are workarounds - but by the time I go through all those layers of configuration, testing and monitoring, how did I gain anything over running services in my own private cloud infrastructure already in my own data center? Right now, cloud seems a much better option for a new enterprise that buys a big Internet pipe and creates secure connection to 3rd party so they don't have to build their own infrastructure. Even then, I would want to make sure I have a provider that supports open standards allowing me to move my services, intact, to another provider: it is the same old story as any other service - address cost, risks/benefits, and avoid lock-in ! I don't think all three factors are quite there for everyone - just for some needs as appropriate.
11mike74
50%
50%
11mike74,
User Rank: Apprentice
2/27/2013 | 6:00:08 PM
re: Cloud Security Falls Short ... But Could Be Great
Cloud security/applications have been around for a few years and being new people are hesitant to make the move into a new technology platform. However, with recent trends-set by IBM, HP and-others,-people are starting to see the-advantages. The Cloud platform-today is not for everybody-and people are comfortable with how they operate now and eventually this will change.
s12
50%
50%
s12,
User Rank: Apprentice
2/27/2013 | 1:41:43 PM
re: Cloud Security Falls Short ... But Could Be Great
G We made specific mention of cloud security months prior, stating that many would be hesitant to intergrate, or use this.
11mike74
50%
50%
11mike74,
User Rank: Apprentice
2/27/2013 | 1:33:39 PM
re: Cloud Security Falls Short ... But Could Be Great
Charlie, I agree that Internet Security is based on fear as served up by Security vendors. The old approach has a reactive stance to where companies wait for an incident then react to it and scare the hell out of people. Jumpto, on the other hand, takes a proactive approach up front. All security problems-will never be solved due to the nature of the Internet. The objective is to stay one step ahead and it's very successfully implemented.
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
2/27/2013 | 12:13:52 AM
re: Cloud Security Falls Short ... But Could Be Great
Yes, the security firms push an agenda of fear, but I have yet to see the case where a little fear wasn't justified. I do not believe every security problem has been solved once and for all in the cloud, as Jumpto seems to, but I do think the cloud is a setting in which security will, in the long run, be easier to implement and maintain effectively. Charlie Babcock, InformationWeek
11mike74
50%
50%
11mike74,
User Rank: Apprentice
2/26/2013 | 7:52:51 PM
re: Cloud Security Falls Short ... But Could Be Great
Very good article and research. Mainstream Cloud Security still has a way to go before it is ready for general use. However, Personal Private clouds, with extensive security are currently available and are bieng offered to the Journalists and Reporters industry. This can be found at securereporter.ca. Highly developed system
Page 1 / 2   >   >>
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.