Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Cloud Security Falls Short ... But Could Be Great

A combination of immature security tools, weak partnerships, and a lack of strong commitment to security leaves cloud service firms short of providing strong protections

SAN FRANCISCO -- RSA CONFERENCE 2013 -- Public cloud services could have better security than the vast majority of corporate on-premise networks, but today's tools fail to provide needed protections, and providers and security firms fall short of the cooperation necessary to build security into the cloud.

RSA Conference 2013
Click here for more articles.

Companies need to improve the performance of security tools that run in the cloud, add multitenancy, and make the management of cloud infrastructure easier, David Apsrey, vice president of cloud security for Trend Micro, told attendees during the Cloud Security Alliance (CSA) Summit, which took place the day before the start of the RSA Conference. Cloud service providers need to give security higher priority in their businesses, while security companies need to provide tools that are created to thrive in highly virtualized environments, he said.

"It's time to rethink cloud security tools and technology so it works better with cloud service providers," Asprey said. "If we hit this right, then the cloud providers and the security providers work together and create a much better security feedback loop."

More than half of all respondents in a recent Trend Micro survey listed security as the reason they felt hesitant about moving to the cloud. No wonder: While some cloud providers accept shared responsibility for data in the cloud, the customer ended up with the actual responsibility, Asprey said.

Security firms need to build their software to natively work with multitenant systems and not slow processing in the cloud. It is unreasonable and inefficient to require that security software be installed in every virtual machine because that bogs down the cloud services' servers, Asprey said.

In addition, security firms need to provide their software on a more agile development cycle.

"Software providers typically have development cycles that last six or nine months, if not longer," he said. "Cloud threats -- cybercriminals -- move at cloud speed."

[With nearly half of IT managers avoiding cloud services over worries that their data will be leaked, it is time for cloud providers to become more transparent. See Cloud Security Measures Too Opaque For Customers.]

Another major problem with the cloud is that many services are architected to allow anyone with administrative privilege the ability to access all the data. A single breach -- or a malicious insider -- could give attackers complete control over the data of the provider's customers, said Oded Horovitz, founder and CEO of PrivateCore, a maker of secure virtual machine software for cloud applications.

"Cloud systems are built so that once you are in a certain perimeter, you are in," he said.

The virtual servers that run cloud applications typically rely on a tenuous web of trust. PrivateCore uses features of currently available trusted processors to verify the trust of the lowest common denominator, the CPU.

Other security experts highlighted the cloud's ability to concentrate risk -- and the danger that such a concentration entails.

"With the advent of cloud and the concentration of resources, you have created a single point of failure," said Alan LeFort, vice president of product management for virtualization management firm HyTrust.

While that concentration makes managing cloud resources more efficient, cloud service providers need to mitigate the worst-case scenarios, LeFort said.

"The security part has not evolve yet to the point that it is not in the way," LeFort said. "The cloud can be more secure with the right level of controls and the right level of automation."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
BrainmanK
50%
50%
BrainmanK,
User Rank: Apprentice
4/25/2013 | 4:00:41 PM
re: Cloud Security Falls Short ... But Could Be Great
The objective is to stay one step ahead and it's very successfully implemented intensive web research
BrainmanK
50%
50%
BrainmanK,
User Rank: Apprentice
4/25/2013 | 3:58:09 PM
re: Cloud Security Falls Short ... But Could Be Great
could you also use more than one protection program? or would it lag your systems too much?
BrainmanK
50%
50%
BrainmanK,
User Rank: Apprentice
4/25/2013 | 3:57:24 PM
re: Cloud Security Falls Short ... But Could Be Great
just devote more processing power too it and then design more computer chips with nano tech. wait how come we arnt doing this yet ... or have we tried humanity?
Jumpto
50%
50%
Jumpto,
User Rank: Apprentice
3/1/2013 | 6:44:23 PM
re: Cloud Security Falls Short ... But Could Be Great
I never stated that ALL the security issues were solved. My problem was and still is a description of a landscape devoid of security options when the truth is that there are many security solutions out there which have been out there for years. Jumpto is only one. You would think that anyone writing about this industry would be aware of a few of them.
Wstr
50%
50%
Wstr,
User Rank: Apprentice
2/27/2013 | 6:47:25 PM
re: Cloud Security Falls Short ... But Could Be Great
There are serious security hurdles to clear, particularly for specific types of sensitive data and the regulations involved. Some statements here are correct that there are workarounds - but by the time I go through all those layers of configuration, testing and monitoring, how did I gain anything over running services in my own private cloud infrastructure already in my own data center? Right now, cloud seems a much better option for a new enterprise that buys a big Internet pipe and creates secure connection to 3rd party so they don't have to build their own infrastructure. Even then, I would want to make sure I have a provider that supports open standards allowing me to move my services, intact, to another provider: it is the same old story as any other service - address cost, risks/benefits, and avoid lock-in ! I don't think all three factors are quite there for everyone - just for some needs as appropriate.
11mike74
50%
50%
11mike74,
User Rank: Apprentice
2/27/2013 | 6:00:08 PM
re: Cloud Security Falls Short ... But Could Be Great
Cloud security/applications have been around for a few years and being new people are hesitant to make the move into a new technology platform. However, with recent trends-set by IBM, HP and-others,-people are starting to see the-advantages. The Cloud platform-today is not for everybody-and people are comfortable with how they operate now and eventually this will change.
s12
50%
50%
s12,
User Rank: Apprentice
2/27/2013 | 1:41:43 PM
re: Cloud Security Falls Short ... But Could Be Great
G We made specific mention of cloud security months prior, stating that many would be hesitant to intergrate, or use this.
11mike74
50%
50%
11mike74,
User Rank: Apprentice
2/27/2013 | 1:33:39 PM
re: Cloud Security Falls Short ... But Could Be Great
Charlie, I agree that Internet Security is based on fear as served up by Security vendors. The old approach has a reactive stance to where companies wait for an incident then react to it and scare the hell out of people. Jumpto, on the other hand, takes a proactive approach up front. All security problems-will never be solved due to the nature of the Internet. The objective is to stay one step ahead and it's very successfully implemented.
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
2/27/2013 | 12:13:52 AM
re: Cloud Security Falls Short ... But Could Be Great
Yes, the security firms push an agenda of fear, but I have yet to see the case where a little fear wasn't justified. I do not believe every security problem has been solved once and for all in the cloud, as Jumpto seems to, but I do think the cloud is a setting in which security will, in the long run, be easier to implement and maintain effectively. Charlie Babcock, InformationWeek
11mike74
50%
50%
11mike74,
User Rank: Apprentice
2/26/2013 | 7:52:51 PM
re: Cloud Security Falls Short ... But Could Be Great
Very good article and research. Mainstream Cloud Security still has a way to go before it is ready for general use. However, Personal Private clouds, with extensive security are currently available and are bieng offered to the Journalists and Reporters industry. This can be found at securereporter.ca. Highly developed system
Page 1 / 2   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.