Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Cloud Security By The Numbers
Newest First  |  Oldest First  |  Threaded View
DmitriS346
DmitriS346,
 User Rank: Apprentice
11/27/2014 | 12:52:41 AM
Re: Is the cloud really less secure?
There are different clouds out there. Not sure which cloud is discussed here.

"They also manage more uniform environments, leaving them with less detail to track."

and that means a few things:

1) Uniform means attack on one part of infrastructure that is successfull, is sucessfull attack on all part of it, since it can be reused.

2) Less options for security. That's right. If I am full scale paranoid, I can't use all means available for me to protect my users, including from themselves.



3) Restoration of data.

Oh yeah, this is a sweet one. If only one customer, specifically me has been badly affected, due to non cloud issues, there is not much I can do to restore data. I am at will of cloud provider here And will says NO. As it's not economically feaseble to restore file or two.

I have refused restoring those files myself. Just for record, I worked for cloud provider myself. For two of them actually. I was sacked from last one. Though it's entirely different story.

And remember, policy of any company is not trueth, but profit. Especially when any kind of outsourcing is involved. I know that, as I worked for a few.

To add to minuses of cloud. They will hapilly assist you to migrate to them, but not from them. And it may be hughe pain in the butt later.
Dr.T
Dr.T,
 User Rank: Ninja
11/24/2014 | 8:17:28 PM
Re: Is the cloud really less secure?
I see your point. We may be better of being on Microsoft Azure platform than Target's POS system. Clots solution tend to have standard level of security otherwise they could not sell the service to the public.
Dr.T
Dr.T,
 User Rank: Ninja
11/24/2014 | 8:15:10 PM
Re: Is the cloud really less secure?
I mainly agree. All the security concerns will go away if we just encrypt data at rest.
Dr.T
Dr.T,
 User Rank: Ninja
11/24/2014 | 8:05:01 PM
Cloud is more secure
I think I am in one of these slides, I tend to think cloud is more secure when I start thinking security measures, or lack of it, that lots of SME are using. Cloud provides a certain level of security by default.
ODA155
ODA155,
 User Rank: Ninja
11/24/2014 | 11:00:26 AM
Re: Is the cloud really less secure?
@Marilyn Cohodas, "But the issues of  security of the data remains the same regardless of who owns the servers and where they are located.". That is absolutley correct, but from every security professional that I know, when this topic comes up for discussion, inside thier companies, it's never about security, it's about providing some type of functionality or solution that does not already exist internally or treating that "cloud" as an appendage to their own networks because it's faster and cheaper than building, managing and maintaining your own.

My company for example, would rather put a service in the cloud\outsource (that's what it really is, rebranded outsourcing) rather than hire a professional inhouse to do exactly what we need, you settle for what the provider can\will offer.  If we don't already have someone who has the skills the rule is send it to the cloud, and that is about $$$, not security, I wish it were. And what happens when you have people so overloaded with responsibilities that they really shouldn't mix with outher responsibilities... If a company were as willing to invest in securing their internal network as they are in trying to get everything into a cloud, then you wouldn't see so many of these data breaches, I know this is a streach, but I would be surprised if some companies haven't used Target, Home Depot and others as reasoning to move to a cloud for what ever it is the need.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
11/24/2014 | 10:22:32 AM
Re: Is the cloud really less secure?
@ODA155, you make an interesting point about "the cloud" being "just another infrastructure that holds data." The metaphor gives the public the sense that "cloud" is somehow vastly different than  a bricks and mortar DC. And perhaps it is, for  most companies outside of Netflix, Google, Apple, and FB etc, in terms of scale. But the issues of  security of the data remains the same regardless of who owns the servers and where they are located.  
ODA155
ODA155,
 User Rank: Ninja
11/23/2014 | 11:41:48 PM
Re: Is the cloud really less secure?
Does it really matter... "the cloud" is just another infrastructure that holds data for other people that you HOPE has been designed properly w\security in mind. And just because you think you've transfered the risk on to the cloud provider, guess what, it's still your data or your customers data and you're still responsible for it. Cloud services need services provided the same as Target and Home Depot, maybe not the same services, but services none the less. Lastley, you can call it what you want or you can do as Apple did and blame the customer, but Apples cloud was breached and it will happen again.
Charlie Babcock
Charlie Babcock,
 User Rank: Ninja
11/21/2014 | 8:12:05 PM
Is the cloud really less secure?
I'm looking for the 51% majority that believes sending data to the cloud increases the risk of a breach to flip the other way. Soon a narrow majority will say the cloud is safer than their own premises. The Target breach and other recent breaches have been enterprise system intrusions, not cloud breaches. And a large successful cloud operation like Microsoft, SoftLayer or Amazon can devote more resources to security than most enterprises can. They also manage more uniform environments, leaving them with less detail to track.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file