Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/17/2013
08:19 PM
50%
50%

5 Ways Cloud Services Can Soothe Security Fears In 2014

Companies need cloud providers to delineate responsibilities for the security of data, provide better security information, and encrypt data everywhere

Enterprise use of cloud services grew tremendously in 2013, but perceived security shortfalls continue to be the biggest block for companies in adopting the services.

For most industries, cloud services have already become part of the corporate infrastructure, either by design or, more often, by workers adopting cloud services without the approval of the IT department. Cloud-service assessment firm Skyhigh Networks, for example, adds approximately 500 cloud services to those that it already tracks, according to CEO and co-founder Rajiv Gupta.

"Employees are using cloud services almost with abandon, without assessing the risk of those services," Gupta says. For that reason, the security requirements will move front and center in 2014, he says. No wonder, then, that nearly half of all IT managers continue to be concerned about the security of their cloud resources, even though 35 percent believe the security of the cloud to be superior to on-premise deployments. One reason: Many cloud providers continue to fail to address the concerns of their clients, says Charles Burckmyer, president of security-service provider Sage Data Security, whose clients often work with the firm to assess the security of third-party cloud services.

"Clients need to build a structured approach to working with cloud vendors and have a process for creating permissible exceptions, assigning risks and mitigating that risk," he says. "Support around and by cloud services is vital for most clients today."

By opening a dialogue with their cloud providers, companies can create a secure hybrid infrastructure. Here are five topics that companies should discuss with their cloud providers in 2014, according to security experts.

1. Make security responsibilities clear.
Cloud-service providers continue to place the responsibility for securing business data on the client, while many clients assume that cloud services will take responsibility for the data stored in their services.

The gap in expectations narrowed in 2013 compared to previous years, but more than a third of customers still expect their software-as-a-service provider to secure the applications and data, according to a Ponemon Institute study released in March. Only 8 percent of companies assess the security of the applications using their information-technology and security teams, the study found.

While many industries have moved to the cloud without concern, security-conscious industries and those that have to comply with regulations are balking because cloud providers are not clarifying their risk, says Sage Data Security's Burckmyer.

"Cloud-vendor due diligence and understanding what your responsibilities are, as a client, and what your vendor is doing to support you in those responsibilities is a very necessary topic," he says. "There has been a reticence about moving to the cloud, from a regulatory and from a security standpoint, because many providers are not doing enough."

2. Design systems to provide meaningful log data.
Companies increasingly want to collect security information on what is happening to their data and applications out in the cloud. Yet many cloud providers do not supply detailed logs files or cannot adequately separate the events pertaining to one customer from those dealing with another.

"We need to make that the default standard practice, that there is a certain amount of logging information that is available proactively for all the different analytics that companies need to track," says Jim Reavis, CEO of the Cloud Security Alliance. "A big sore spot has been log file information, and that has been a sticking point."

[With cloud services collecting more data from businesses, firms should prepare for potential breaches that involve their providers. See Enterprises Should Practice For Cloud Security Breaches.]

Keeping audit logs of admin access is especially important, but most smaller cloud services do not provide such information.

3. Encryption needs to be pervasive.
Companies are not only demanding end-to-end encryption in the cloud, but increasingly asking for cloud providers to allow them to encrypt data on-premise before sending it to the cloud.

Cloud providers should not only work with their customers, but develop strong encryption solutions that allow the companies to be confident that their data is secure, while allowing some features to be preserved, says Sanjay Beri, CEO of cloud-service management firm Netskope.

"Encryption is the one thing that they, as an app provider, can do better than anyone in the middle," Beri says. "No one knows the app better than they do, and as long as they expose the keys to be managed by someone else, many customers will be very happy."

4. Alert users to anomalies.
Encryption, however, is not sufficient to protect a customer's data if an attacker has gained access to account credentials. For that reason, cloud providers must also maintain good anomaly detection systems and share the information and audit records from those systems with the client, says Skyhigh's Gupta.

"You need all these different tools to make sure that the cloud provider meets the customer's requirement," he says. "It is a layered approach."

5. Discuss protections from third-party access.
While cloud providers have to abide by the jurisdiction of the nation in which they do business and in which their data resides, the revelations about the massive data collection conducted by the U.S. National Security Agency and other nations' intelligence groups have left companies increasingly asking cloud providers about who requests data, how frequently, and whether the provider complies with the requests.

"It is very clear that providers need to help consumers understand how they manage and handle requests for information," says the CSA's Reavis. "Providers are not beginning to see that they need to put government requests are arm's length."

That clarity needs to extend to the ownership of the information as well, says Skyhigh's Gupta. Cloud providers need to emphasize that their clients' continue to own their own data, and be as explicit as possible about the provider's use of that data.

"How long do they keep your data? In some cases, they keep your data longer than you want them to, in others, they don't give you enough time to retrieve your data, if you leave the service," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Eddie Mayan
50%
50%
Eddie Mayan,
User Rank: Apprentice
1/20/2014 | 3:21:56 PM
re: 5 Ways Cloud Services Can Soothe Security Fears In 2014
Security concerns in Cloud Computing. CloudWays provides free consultancy to user fro cloud security.
Robert A.C590
50%
50%
Robert A.C590,
User Rank: Apprentice
12/18/2013 | 8:47:45 PM
re: 5 Ways Cloud Services Can Soothe Security Fears In 2014
"Keep government requests for data at arm's length"??? Good luck with that strategy if you are a corporation registered in the US. You can make the data more easily accessible directly from the customer if you 1) encrypt before sending to the cloud, as you suggest in #3, 2) have the customer exclusively maintain the key - opposite of what you suggest in #3, 3) ensure that the cloud provider has no technological or operational means to access the key, and 4) ensure this is spelled out in the T&C's. Several SaaS providers do this today.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13991
PUBLISHED: 2020-09-24
vm/opcodes.c in JerryScript 2.2.0 allows attackers to hijack the flow of control by controlling a register.
CVE-2020-15160
PUBLISHED: 2020-09-24
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8
CVE-2020-15162
PUBLISHED: 2020-09-24
In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.
CVE-2020-15843
PUBLISHED: 2020-09-24
ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privilege escalation vulnerability due to insecure folder permissions on %PROGRAMFILES%\ActiveFax\Client\, %PROGRAMFILES%\ActiveFax\Install\ and %PROGRAMFILES%\ActiveFax\Terminal\. The folder permissions allow "Full Control" t...
CVE-2020-17365
PUBLISHED: 2020-09-24
Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. The vulnerability allows a local user to corrupt system files: a local user can create a specially craf...