Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:19 PM

5 Ways Cloud Services Can Soothe Security Fears In 2014

Companies need cloud providers to delineate responsibilities for the security of data, provide better security information, and encrypt data everywhere

Enterprise use of cloud services grew tremendously in 2013, but perceived security shortfalls continue to be the biggest block for companies in adopting the services.

For most industries, cloud services have already become part of the corporate infrastructure, either by design or, more often, by workers adopting cloud services without the approval of the IT department. Cloud-service assessment firm Skyhigh Networks, for example, adds approximately 500 cloud services to those that it already tracks, according to CEO and co-founder Rajiv Gupta.

"Employees are using cloud services almost with abandon, without assessing the risk of those services," Gupta says. For that reason, the security requirements will move front and center in 2014, he says. No wonder, then, that nearly half of all IT managers continue to be concerned about the security of their cloud resources, even though 35 percent believe the security of the cloud to be superior to on-premise deployments. One reason: Many cloud providers continue to fail to address the concerns of their clients, says Charles Burckmyer, president of security-service provider Sage Data Security, whose clients often work with the firm to assess the security of third-party cloud services.

"Clients need to build a structured approach to working with cloud vendors and have a process for creating permissible exceptions, assigning risks and mitigating that risk," he says. "Support around and by cloud services is vital for most clients today."

By opening a dialogue with their cloud providers, companies can create a secure hybrid infrastructure. Here are five topics that companies should discuss with their cloud providers in 2014, according to security experts.

1. Make security responsibilities clear.
Cloud-service providers continue to place the responsibility for securing business data on the client, while many clients assume that cloud services will take responsibility for the data stored in their services.

The gap in expectations narrowed in 2013 compared to previous years, but more than a third of customers still expect their software-as-a-service provider to secure the applications and data, according to a Ponemon Institute study released in March. Only 8 percent of companies assess the security of the applications using their information-technology and security teams, the study found.

While many industries have moved to the cloud without concern, security-conscious industries and those that have to comply with regulations are balking because cloud providers are not clarifying their risk, says Sage Data Security's Burckmyer.

"Cloud-vendor due diligence and understanding what your responsibilities are, as a client, and what your vendor is doing to support you in those responsibilities is a very necessary topic," he says. "There has been a reticence about moving to the cloud, from a regulatory and from a security standpoint, because many providers are not doing enough."

2. Design systems to provide meaningful log data.
Companies increasingly want to collect security information on what is happening to their data and applications out in the cloud. Yet many cloud providers do not supply detailed logs files or cannot adequately separate the events pertaining to one customer from those dealing with another.

"We need to make that the default standard practice, that there is a certain amount of logging information that is available proactively for all the different analytics that companies need to track," says Jim Reavis, CEO of the Cloud Security Alliance. "A big sore spot has been log file information, and that has been a sticking point."

[With cloud services collecting more data from businesses, firms should prepare for potential breaches that involve their providers. See Enterprises Should Practice For Cloud Security Breaches.]

Keeping audit logs of admin access is especially important, but most smaller cloud services do not provide such information.

3. Encryption needs to be pervasive.
Companies are not only demanding end-to-end encryption in the cloud, but increasingly asking for cloud providers to allow them to encrypt data on-premise before sending it to the cloud.

Cloud providers should not only work with their customers, but develop strong encryption solutions that allow the companies to be confident that their data is secure, while allowing some features to be preserved, says Sanjay Beri, CEO of cloud-service management firm Netskope.

"Encryption is the one thing that they, as an app provider, can do better than anyone in the middle," Beri says. "No one knows the app better than they do, and as long as they expose the keys to be managed by someone else, many customers will be very happy."

4. Alert users to anomalies.
Encryption, however, is not sufficient to protect a customer's data if an attacker has gained access to account credentials. For that reason, cloud providers must also maintain good anomaly detection systems and share the information and audit records from those systems with the client, says Skyhigh's Gupta.

"You need all these different tools to make sure that the cloud provider meets the customer's requirement," he says. "It is a layered approach."

5. Discuss protections from third-party access.
While cloud providers have to abide by the jurisdiction of the nation in which they do business and in which their data resides, the revelations about the massive data collection conducted by the U.S. National Security Agency and other nations' intelligence groups have left companies increasingly asking cloud providers about who requests data, how frequently, and whether the provider complies with the requests.

"It is very clear that providers need to help consumers understand how they manage and handle requests for information," says the CSA's Reavis. "Providers are not beginning to see that they need to put government requests are arm's length."

That clarity needs to extend to the ownership of the information as well, says Skyhigh's Gupta. Cloud providers need to emphasize that their clients' continue to own their own data, and be as explicit as possible about the provider's use of that data.

"How long do they keep your data? In some cases, they keep your data longer than you want them to, in others, they don't give you enough time to retrieve your data, if you leave the service," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Eddie Mayan
Eddie Mayan,
User Rank: Apprentice
1/20/2014 | 3:21:56 PM
re: 5 Ways Cloud Services Can Soothe Security Fears In 2014
Security concerns in Cloud Computing. CloudWays provides free consultancy to user fro cloud security.
Robert A.C590
Robert A.C590,
User Rank: Apprentice
12/18/2013 | 8:47:45 PM
re: 5 Ways Cloud Services Can Soothe Security Fears In 2014
"Keep government requests for data at arm's length"??? Good luck with that strategy if you are a corporation registered in the US. You can make the data more easily accessible directly from the customer if you 1) encrypt before sending to the cloud, as you suggest in #3, 2) have the customer exclusively maintain the key - opposite of what you suggest in #3, 3) ensure that the cloud provider has no technological or operational means to access the key, and 4) ensure this is spelled out in the T&C's. Several SaaS providers do this today.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.