Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:19 PM

5 Ways Cloud Services Can Soothe Security Fears In 2014

Companies need cloud providers to delineate responsibilities for the security of data, provide better security information, and encrypt data everywhere

Enterprise use of cloud services grew tremendously in 2013, but perceived security shortfalls continue to be the biggest block for companies in adopting the services.

For most industries, cloud services have already become part of the corporate infrastructure, either by design or, more often, by workers adopting cloud services without the approval of the IT department. Cloud-service assessment firm Skyhigh Networks, for example, adds approximately 500 cloud services to those that it already tracks, according to CEO and co-founder Rajiv Gupta.

"Employees are using cloud services almost with abandon, without assessing the risk of those services," Gupta says. For that reason, the security requirements will move front and center in 2014, he says. No wonder, then, that nearly half of all IT managers continue to be concerned about the security of their cloud resources, even though 35 percent believe the security of the cloud to be superior to on-premise deployments. One reason: Many cloud providers continue to fail to address the concerns of their clients, says Charles Burckmyer, president of security-service provider Sage Data Security, whose clients often work with the firm to assess the security of third-party cloud services.

"Clients need to build a structured approach to working with cloud vendors and have a process for creating permissible exceptions, assigning risks and mitigating that risk," he says. "Support around and by cloud services is vital for most clients today."

By opening a dialogue with their cloud providers, companies can create a secure hybrid infrastructure. Here are five topics that companies should discuss with their cloud providers in 2014, according to security experts.

1. Make security responsibilities clear.
Cloud-service providers continue to place the responsibility for securing business data on the client, while many clients assume that cloud services will take responsibility for the data stored in their services.

The gap in expectations narrowed in 2013 compared to previous years, but more than a third of customers still expect their software-as-a-service provider to secure the applications and data, according to a Ponemon Institute study released in March. Only 8 percent of companies assess the security of the applications using their information-technology and security teams, the study found.

While many industries have moved to the cloud without concern, security-conscious industries and those that have to comply with regulations are balking because cloud providers are not clarifying their risk, says Sage Data Security's Burckmyer.

"Cloud-vendor due diligence and understanding what your responsibilities are, as a client, and what your vendor is doing to support you in those responsibilities is a very necessary topic," he says. "There has been a reticence about moving to the cloud, from a regulatory and from a security standpoint, because many providers are not doing enough."

2. Design systems to provide meaningful log data.
Companies increasingly want to collect security information on what is happening to their data and applications out in the cloud. Yet many cloud providers do not supply detailed logs files or cannot adequately separate the events pertaining to one customer from those dealing with another.

"We need to make that the default standard practice, that there is a certain amount of logging information that is available proactively for all the different analytics that companies need to track," says Jim Reavis, CEO of the Cloud Security Alliance. "A big sore spot has been log file information, and that has been a sticking point."

[With cloud services collecting more data from businesses, firms should prepare for potential breaches that involve their providers. See Enterprises Should Practice For Cloud Security Breaches.]

Keeping audit logs of admin access is especially important, but most smaller cloud services do not provide such information.

3. Encryption needs to be pervasive.
Companies are not only demanding end-to-end encryption in the cloud, but increasingly asking for cloud providers to allow them to encrypt data on-premise before sending it to the cloud.

Cloud providers should not only work with their customers, but develop strong encryption solutions that allow the companies to be confident that their data is secure, while allowing some features to be preserved, says Sanjay Beri, CEO of cloud-service management firm Netskope.

"Encryption is the one thing that they, as an app provider, can do better than anyone in the middle," Beri says. "No one knows the app better than they do, and as long as they expose the keys to be managed by someone else, many customers will be very happy."

4. Alert users to anomalies.
Encryption, however, is not sufficient to protect a customer's data if an attacker has gained access to account credentials. For that reason, cloud providers must also maintain good anomaly detection systems and share the information and audit records from those systems with the client, says Skyhigh's Gupta.

"You need all these different tools to make sure that the cloud provider meets the customer's requirement," he says. "It is a layered approach."

5. Discuss protections from third-party access.
While cloud providers have to abide by the jurisdiction of the nation in which they do business and in which their data resides, the revelations about the massive data collection conducted by the U.S. National Security Agency and other nations' intelligence groups have left companies increasingly asking cloud providers about who requests data, how frequently, and whether the provider complies with the requests.

"It is very clear that providers need to help consumers understand how they manage and handle requests for information," says the CSA's Reavis. "Providers are not beginning to see that they need to put government requests are arm's length."

That clarity needs to extend to the ownership of the information as well, says Skyhigh's Gupta. Cloud providers need to emphasize that their clients' continue to own their own data, and be as explicit as possible about the provider's use of that data.

"How long do they keep your data? In some cases, they keep your data longer than you want them to, in others, they don't give you enough time to retrieve your data, if you leave the service," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Eddie Mayan
Eddie Mayan,
User Rank: Apprentice
1/20/2014 | 3:21:56 PM
re: 5 Ways Cloud Services Can Soothe Security Fears In 2014
Security concerns in Cloud Computing. CloudWays provides free consultancy to user fro cloud security.
Robert A.C590
Robert A.C590,
User Rank: Apprentice
12/18/2013 | 8:47:45 PM
re: 5 Ways Cloud Services Can Soothe Security Fears In 2014
"Keep government requests for data at arm's length"??? Good luck with that strategy if you are a corporation registered in the US. You can make the data more easily accessible directly from the customer if you 1) encrypt before sending to the cloud, as you suggest in #3, 2) have the customer exclusively maintain the key - opposite of what you suggest in #3, 3) ensure that the cloud provider has no technological or operational means to access the key, and 4) ensure this is spelled out in the T&C's. Several SaaS providers do this today.
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-16
IBM Sterling File Gateway through is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.