Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
4/14/2016
12:01 AM
Raj Samani
Raj Samani
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Is Cloud Security An Exaggerated Concern?

Research indicates the challenge has never been about security, but about transparency.

The results are in: We have made zero progress since 2010. This was the year that IDC published results of a survey regarding cloud computing, and it found that security was the biggest barrier toward adoption. This statistic has found its way onto pretty much every presentation about cloud computing since 2010.

Well the year is 2016, and a recent Intel Security study asked 1,200 IT decision-makers what their biggest concern is; the most common answer was data breaches. What is remarkable about this is that the next question in the survey asked respondents to comment on what issues they have experienced, and they were not security related. In fact, the biggest issue was the difficulty in migrating services or data. Incidentally, this is likely to get worse as the use of platform-as-a-service and infrastructure-as-a-service become more ubiquitous.

This does beg the question as to whether the issue of security concerns is exaggerated. Indeed, those of you that have heard me speak know that I do not believe the term “cloud security” is even an issue. Firstly, the concept of cloud is misused. If we strictly adhere to the NIST definition as per NIST 800-145, then the number of service providers offering a cloud service is a lot smaller than Google results suggest.

One of the key characteristics of a cloud provider (as per NIST) is to provide offering on-demand self-service. In 2012, the website CloudSleuth investigated how many cloud service providers actually fulfilled this characteristic; its research found that “of the 20 companies we selected in this round, only 11 were fully self-serve, nine required some level of sales interaction, and astoundingly, three of those nine simply didn't respond to our requests.”

It's About Transparency

So the term “cloud service provider” in practical terms is simply a company offering computing resources over broad network access. (Thank you, NIST!) Now let’s move to the concern regarding security. The question is not whether a provider is secure -- moving away from the argument over what constitutes secure or not. The challenge is how to determine the level of security of a provider. Therefore, the challenge has never been about security, but about transparency; in other words, how can you determine the security posture of a third-party provider without the ability to physically audit? Of course, annual audits have been the default tool of choice for many years now, but this model only provides a certain level of assurance.

Work within the Cloud Security Alliance (with whom we collaborated on this research) has begun to develop the necessary tools to provide the transparency so desperately needed. For example, STAR is a registry that documents the security controls deployed by providers. But perhaps the most encouraging tool is STAR Continuous Monitoring, which provides transparency of the security posture of a provider even after the auditor has left the building.

Perhaps for 2017 the concern of cloud security will not make it onto the opening slide of every presentation, and we can discuss the adoption of tools such as STAR that provide the requisite transparency into third-party providers. If there is concern about the security of a cloud provider, then the simple answer will be not to use them and to find a provider that satisfies the risk appetite of the end customer.

Raj has previously worked as the Chief Information Security Officer for a large public sector organization in the UK. He volunteers as the Cloud Security Alliance EMEA Strategy Advisor, is on the advisory councils for Infosecurity Europe, and Infosecurity Magazine. In ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JLA1
50%
50%
JLA1,
User Rank: Apprentice
4/25/2016 | 11:23:59 AM
Cloud Security
I agree the issue is not as much about security as it is transparency. When cloud providers think the best way to ensure security is through obscurity it gives my reason to think they are hiding something. I want to know how my data is secured and without that information I will not be comfortable with their service.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27652
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27653
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27654
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
CVE-2020-27655
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVE-2020-27656
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.