Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

1/31/2013
08:34 PM
50%
50%

The Physical Security Factor With Cloud Providers

Anyone with access to your cloud providers' servers has access to your data. Don't think burglars or Ethan Hunt of 'Mission Impossible': think insiders and search warrants

Data center operator Rackspace takes the physical security of its facilities seriously.

In a post on the topic earlier this month, the company, which declined to be interviewed for this article, outlined some of the standard security procedures it takes to make sure that outsiders, and even rogue employees, do not have unaudited access to their customers' data. Among the measures are biometric two-factor authentication, video surveillance in all its facilities, and monthly access reviews.

"Security in the cloud is not just virtual," Jim Battenberg, cloud evangelist for Rackspace, writes in the post. "There are a host of physical controls that must be in place to ensure secure computing in the cloud."

No wonder: A rash of server thefts from data centers hit the industry in 2008 and served as a lesson to companies to beef up their security. Among the victims, financial house HSBC, Cable & Wireless's hosting services, and even Peter Gabriel's website.

Insiders are also a threat. While a physical breach may not be a company's most major risk, or even in the top five risks, it is still a significant security issue, says Rocky DeStafeno, CEO of security consultancy VisibleRisk, because insiders are regularly bribed for their access to information.

"The problem is the cost of bribing someone for data is minuscule," he says. "The cost of top secret information is almost always in hundreds of dollars per secret, not millions."

And for all its diligence, Rackspace's security measures--or those of any other provider--could likely all be circumvented with a single piece of a paper: A search warrant or, more drastically, the national security letters used to hunt down spies and terrorists. In June 2011, for example, Instapaper lost the use of a server because it was taken during a raid by the FBI.

Companies move to the cloud to become more efficient, better manage their data, and gain ready access from anywhere. Unfortunately, they are also giving up control over access to their information, says Oded Horovitz, co-founder and CEO of startup PrivateCore. Even encrypted data, to be processed by applications in the cloud, has to be decrypted, and that means putting it in danger.

"Cloud providers might claim that they have the best physical security in the world, but how do you know that?" Horovitz asks. "It's not that physical security is different because it's in the cloud, the difference is that you are no longer doing it, someone else is doing it for you, and now you have trust somebody with physical security."

[Anxiety over the security of cloud services has waned, according to new research, showing that enterprises are becoming a bit less worried than they used to be. See Survey: IT Less Stressed About Cloud Security.]

PrivateCore aims to allow companies to attest that their data is safe. Using Intel's Trusted Execution Technology (TXT), PrivateCore has created its own secure hypervisor that allows a company to control and secure its own private virtual machines, even if they are running on public cloud infrastructure.

The company's technology is able to encrypt any code and data in memory, Horovitz says, and provides a secure hypervisor with a very small attack surface. Sensitive data is only decrypted inside a processor that is based on the trusted-computing technology. The technology will allow companies to have faith in the security of the virtual machine running in the cloud, as long as it is running on the trusted platform, Horovitz says.

"We make it so you don't have to trust anything except inside the CPU," he says. "Unless encrypted, even the system's memory cannot be trusted."

Last June, PrivateCore obtained $2.25 million in seed funding to develop the technology.

The technology appears interesting, but the security will rely on the implementation and how the keys are managed, says VisibleRisk's DeStafeno. Until they are ready to adopt such technologies, companies can request that their providers attest to certain security measures, perhaps most important among them is having an audit trail of who accesses the client's servers.

"One of the most simple things is to ask how detailed is the audit of who is accessing the systems," he said. "If there is access outside the audit, then it become very simple for insiders to steal data."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AKessler
50%
50%
AKessler,
User Rank: Strategist
2/4/2013 | 10:20:34 PM
re: The Physical Security Factor With Cloud Providers


It's
inevitable that enterprises will lose some degree of control when they move
data to the cloud, but the economics are enormously compelling; the key is to
mitigate business risk. From where I sit, it all comes down to putting in place
data security technologies that let enterprises secure even their most
sensitive data and gather the level of security intelligence necessary to let
them embrace the cloud with confidence. CISOs can maintain control of their
sensitive data - even in the cloud - if they put in place the appropriate
encryption, key management and privileged access controls and policies. Doing
this will protect them adequately against both insider threats and cloud
service provider snooping in ways that will accelerate cloud adoption.

Larry Seltzer - UBM Tech
50%
50%
Larry Seltzer - UBM Tech,
User Rank: Apprentice
2/1/2013 | 1:02:14 PM
re: The Physical Security Factor With Cloud Providers
Amazing. I can only assume it's decrypted in on-board cache because you can't encrypt/decrypt one register at a time. I'll have to look them up at RSA in San Francisco later this month.
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16317
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
CVE-2019-16318
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
CVE-2019-16307
PUBLISHED: 2019-09-14
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKe...
CVE-2019-16294
PUBLISHED: 2019-09-14
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
CVE-2019-16309
PUBLISHED: 2019-09-14
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.