Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/29/2008
07:36 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Cloud Computing Security: What About It?

I'm always trolling the Web for insight into the latest technology trends, and how these trends could impact both how we use technology and how it may change how we secure our data. During my pursuit for knowledge, I'll often run into bone-headed comments and blogs, and when I do, for the most part, I just shrug them off. Today's experience isn't one of those times.

I'm always trolling the Web for insight into the latest technology trends, and how these trends could impact both how we use technology and how it may change how we secure our data. During my pursuit for knowledge, I'll often run into bone-headed comments and blogs, and when I do, for the most part, I just shrug them off. Today's experience isn't one of those times.Through a series of Web clicks that I couldn't reconstruct if I tried, I stumbled upon this blog post from Howard Flomberg at Examiner.com. Flomberg says he's been reading about utility computing for decades, and I have no doubt as far as that is concerned. The concept of utility computing is certainly not new, and neither is the concept of virtualization, which has existed on mainframes for a long, long time.

But I do wonder why he, and many others, continue to confuse virtualization as "cloud computing" -- it is not. Sure, virtualization can be part of a cloud. But you could also have a cloud without virtualization. Likewise, running a few virtualized containers doesn't a cloud computing infrastructure make. Cloud computing is more about information and application services delivered via the Web as a simplified utility. While virtualization will be a fundamental of cloud computing, they aren't one in the same. But even this semantic nuisance isn't what got my feathers fluttering.

It's that Flomberg, and many others, seem to think that cloud computing is natively secure. It most certainly is not. Here is Flomberg's zinger, after he accurately described some of the benefits of cloud computing:

By moving the application software and databases to their multi gazilion-byte servers you can concentrate on the product. Security - What about security? Off the shelf security has the CIA angered - they can't crack it.

I'm assuming he is talking about AES encryption. And it certainly is a good idea to encrypt data while it's traveling from the client PC to the cloud, and even while it is remotely stored. And there's no argument from me that encrypting data is an important facet of security -- but for an enterprise, this is only the beginning of information security as it relates to the cloud. And it's not even the end of the beginning. It is really just the beginning.

I have a few "what about security" questions for Flomberg:

For starters: What about making sure the data is segregated? If you need to be compliant with any one of the myriad of government and industry regulations, encrypting files without segregating them just doesn't cut it. Besides, you just don't want your high-value data to be co-mingled with your low-value data. Do you? Properly segregating data is something you'd want to do anyway.

Then there's the issue of in what country your data will reside. That's right: There are regulations in many countries that forbid certain types of protected data to actually leave the physical boundaries of a country.

What about having the ability to validate how your cloud provider keeps data secure? Or, even for the ability to independently audit their policies and processes?

What about the background of the employees and administrators hired by the cloud provider? Who will actually have access to your data? Even if it's encrypted, it can still be lost, destroyed, or your access to it cut. How does AES help you there?

What about your business continuity and disaster recovery plan?

What about data-loss prevention from the cloud?

How will your business manage identity and access management to cloud-based applications and data?

What about the fundamental security of the application code your cloud provider is using? I don't think buffer overflows and data injection attacks -- and all of the other application-based challenges we still haven't solved -- will just vaporize in the cloud. Please.

These are just a few of the security challenges that are arising from cloud-based computing, whether the cloud services are outsourced or you're building a private cloud.

To be so flippant about IT security as it relates to cloud computing, as to essentially say "what about it? -- just encrypt your data and you'll be fine" is as naive as it is dangerous. It is this type of shortsighted thinking about Web application security way back in 2000 that placed us, for the large part, in the application security mud we wallow in today.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22677
PUBLISHED: 2021-05-07
An integer overflow exists in the APIs of the host MCU while trying to connect to a WIFI network may lead to issues such as a denial-of-service condition or code execution on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4....
CVE-2021-29495
PUBLISHED: 2021-05-07
Nim is a statically typed compiled systems programming language. In Nim standard library before 1.4.2, httpClient SSL/TLS certificate verification was disabled by default. Users can upgrade to version 1.4.2 to receive a patch or, as a workaround, set "verifyMode = CVerifyPeer" as documente...
CVE-2020-4901
PUBLISHED: 2021-05-07
IBM Robotic Process Automation with Automation Anywhere 11.0 could allow an attacker on the network to obtain sensitive information or cause a denial of service through username enumeration. IBM X-Force ID: 190992.
CVE-2021-21419
PUBLISHED: 2021-05-07
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reas...
CVE-2021-27437
PUBLISHED: 2021-05-07
The affected product allows attackers to obtain sensitive information from the WISE-PaaS dashboard. The system contains a hard-coded administrator username and password that can be used to query Grafana APIs. Authentication is not required for exploitation on the WISE-PaaS/RMM (versions prior to 9.0...