Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/29/2008
07:36 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Cloud Computing Security: What About It?

I'm always trolling the Web for insight into the latest technology trends, and how these trends could impact both how we use technology and how it may change how we secure our data. During my pursuit for knowledge, I'll often run into bone-headed comments and blogs, and when I do, for the most part, I just shrug them off. Today's experience isn't one of those times.

I'm always trolling the Web for insight into the latest technology trends, and how these trends could impact both how we use technology and how it may change how we secure our data. During my pursuit for knowledge, I'll often run into bone-headed comments and blogs, and when I do, for the most part, I just shrug them off. Today's experience isn't one of those times.Through a series of Web clicks that I couldn't reconstruct if I tried, I stumbled upon this blog post from Howard Flomberg at Examiner.com. Flomberg says he's been reading about utility computing for decades, and I have no doubt as far as that is concerned. The concept of utility computing is certainly not new, and neither is the concept of virtualization, which has existed on mainframes for a long, long time.

But I do wonder why he, and many others, continue to confuse virtualization as "cloud computing" -- it is not. Sure, virtualization can be part of a cloud. But you could also have a cloud without virtualization. Likewise, running a few virtualized containers doesn't a cloud computing infrastructure make. Cloud computing is more about information and application services delivered via the Web as a simplified utility. While virtualization will be a fundamental of cloud computing, they aren't one in the same. But even this semantic nuisance isn't what got my feathers fluttering.

It's that Flomberg, and many others, seem to think that cloud computing is natively secure. It most certainly is not. Here is Flomberg's zinger, after he accurately described some of the benefits of cloud computing:

By moving the application software and databases to their multi gazilion-byte servers you can concentrate on the product. Security - What about security? Off the shelf security has the CIA angered - they can't crack it.

I'm assuming he is talking about AES encryption. And it certainly is a good idea to encrypt data while it's traveling from the client PC to the cloud, and even while it is remotely stored. And there's no argument from me that encrypting data is an important facet of security -- but for an enterprise, this is only the beginning of information security as it relates to the cloud. And it's not even the end of the beginning. It is really just the beginning.

I have a few "what about security" questions for Flomberg:

For starters: What about making sure the data is segregated? If you need to be compliant with any one of the myriad of government and industry regulations, encrypting files without segregating them just doesn't cut it. Besides, you just don't want your high-value data to be co-mingled with your low-value data. Do you? Properly segregating data is something you'd want to do anyway.

Then there's the issue of in what country your data will reside. That's right: There are regulations in many countries that forbid certain types of protected data to actually leave the physical boundaries of a country.

What about having the ability to validate how your cloud provider keeps data secure? Or, even for the ability to independently audit their policies and processes?

What about the background of the employees and administrators hired by the cloud provider? Who will actually have access to your data? Even if it's encrypted, it can still be lost, destroyed, or your access to it cut. How does AES help you there?

What about your business continuity and disaster recovery plan?

What about data-loss prevention from the cloud?

How will your business manage identity and access management to cloud-based applications and data?

What about the fundamental security of the application code your cloud provider is using? I don't think buffer overflows and data injection attacks -- and all of the other application-based challenges we still haven't solved -- will just vaporize in the cloud. Please.

These are just a few of the security challenges that are arising from cloud-based computing, whether the cloud services are outsourced or you're building a private cloud.

To be so flippant about IT security as it relates to cloud computing, as to essentially say "what about it? -- just encrypt your data and you'll be fine" is as naive as it is dangerous. It is this type of shortsighted thinking about Web application security way back in 2000 that placed us, for the large part, in the application security mud we wallow in today.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.