Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/29/2008
07:36 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Cloud Computing Security: What About It?

I'm always trolling the Web for insight into the latest technology trends, and how these trends could impact both how we use technology and how it may change how we secure our data. During my pursuit for knowledge, I'll often run into bone-headed comments and blogs, and when I do, for the most part, I just shrug them off. Today's experience isn't one of those times.

I'm always trolling the Web for insight into the latest technology trends, and how these trends could impact both how we use technology and how it may change how we secure our data. During my pursuit for knowledge, I'll often run into bone-headed comments and blogs, and when I do, for the most part, I just shrug them off. Today's experience isn't one of those times.Through a series of Web clicks that I couldn't reconstruct if I tried, I stumbled upon this blog post from Howard Flomberg at Examiner.com. Flomberg says he's been reading about utility computing for decades, and I have no doubt as far as that is concerned. The concept of utility computing is certainly not new, and neither is the concept of virtualization, which has existed on mainframes for a long, long time.

But I do wonder why he, and many others, continue to confuse virtualization as "cloud computing" -- it is not. Sure, virtualization can be part of a cloud. But you could also have a cloud without virtualization. Likewise, running a few virtualized containers doesn't a cloud computing infrastructure make. Cloud computing is more about information and application services delivered via the Web as a simplified utility. While virtualization will be a fundamental of cloud computing, they aren't one in the same. But even this semantic nuisance isn't what got my feathers fluttering.

It's that Flomberg, and many others, seem to think that cloud computing is natively secure. It most certainly is not. Here is Flomberg's zinger, after he accurately described some of the benefits of cloud computing:

By moving the application software and databases to their multi gazilion-byte servers you can concentrate on the product. Security - What about security? Off the shelf security has the CIA angered - they can't crack it.

I'm assuming he is talking about AES encryption. And it certainly is a good idea to encrypt data while it's traveling from the client PC to the cloud, and even while it is remotely stored. And there's no argument from me that encrypting data is an important facet of security -- but for an enterprise, this is only the beginning of information security as it relates to the cloud. And it's not even the end of the beginning. It is really just the beginning.

I have a few "what about security" questions for Flomberg:

For starters: What about making sure the data is segregated? If you need to be compliant with any one of the myriad of government and industry regulations, encrypting files without segregating them just doesn't cut it. Besides, you just don't want your high-value data to be co-mingled with your low-value data. Do you? Properly segregating data is something you'd want to do anyway.

Then there's the issue of in what country your data will reside. That's right: There are regulations in many countries that forbid certain types of protected data to actually leave the physical boundaries of a country.

What about having the ability to validate how your cloud provider keeps data secure? Or, even for the ability to independently audit their policies and processes?

What about the background of the employees and administrators hired by the cloud provider? Who will actually have access to your data? Even if it's encrypted, it can still be lost, destroyed, or your access to it cut. How does AES help you there?

What about your business continuity and disaster recovery plan?

What about data-loss prevention from the cloud?

How will your business manage identity and access management to cloud-based applications and data?

What about the fundamental security of the application code your cloud provider is using? I don't think buffer overflows and data injection attacks -- and all of the other application-based challenges we still haven't solved -- will just vaporize in the cloud. Please.

These are just a few of the security challenges that are arising from cloud-based computing, whether the cloud services are outsourced or you're building a private cloud.

To be so flippant about IT security as it relates to cloud computing, as to essentially say "what about it? -- just encrypt your data and you'll be fine" is as naive as it is dangerous. It is this type of shortsighted thinking about Web application security way back in 2000 that placed us, for the large part, in the application security mud we wallow in today.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17476
PUBLISHED: 2020-08-10
Mibew Messenger before 3.2.7 allows XSS via a crafted user name.
CVE-2020-9525
PUBLISHED: 2020-08-10
CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an authentication flaw that allows remote attackers to perform a man-in-the-middle attack, as demonstrated by eavesdropping on user video/audio streams, capturing credentials, and compromising devices.
CVE-2020-9526
PUBLISHED: 2020-08-10
CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an information exposure flaw that exposes user session data to supernodes in the network, as demonstrated by passively eavesdropping on user video/audio streams, capturing credentials, and compromising devic...
CVE-2020-9527
PUBLISHED: 2020-08-10
Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20, after 2018-08-09 through 2020), as used by many different vendors in millions of Internet of Things devices, suffers from buffer overflow vulnerability that allows unauthenticated remote attackers to execute arbitrary code via ...
CVE-2020-9528
PUBLISHED: 2020-08-10
Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20), as used by many different vendors in millions of Internet of Things devices, suffers from cryptographic issues that allow remote attackers to access user session data, as demonstrated by eavesdropping on user video/audio strea...