Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/18/2013
08:02 PM
50%
50%

Enterprises Should Practice For Cloud Security Breaches

With cloud services collecting more data from businesses, firms should prepare for potential breaches that involve their providers

Companies are increasingly moving to cloud: Over the 18 months ending June 2013, enterprises boosted their use of cloud storage by 90 percent, resulting in 45 percent more revenue for cloud service providers, according to report released by Verizon.

Yet businesses should expect bumps ahead. Attackers will increasingly focus on finding ways to compromise companies' cloud services to gain access to the valuable data stored in those online systems. From the attempted digital coup on CloudFlare's infrastructure to breaches at businesses services such as social network LinkedIn and e-mail marketing firm Epsilon Data Management, attackers have already shown interest in illicitly accessing enterprise data in the cloud.

While the security of cloud provides is typically better than the average company, breaches will happen, experts say. And responding to an incident will likely be more complex for businesses when the response includes a cloud provider's infrastructure.

"The key here is to plan ahead," says Kristy Westphal, information security officer with Element Payment Services, a secure payment processing firm recently acquired by Vantiv. "You need to know what is in your contract, what you can get access to, and what you are on the hook for."

At the coming Cloud Security Alliance (CSA) Congress, Westphal plans to discuss strategies for minimizing the impact of a cloud breach and smoothing incident response. As a first step, companies should begin including their cloud providers in their incident response planning, finding the appropriate contact at the firm, and discovering what resources they can expect in the event of a breach.

Companies need to know the provider's contractual obligations because there is often a murky line between the cloud provider's responsibilities and the customer's responsibilities, says Dave Dalva, vice president in the risk consulting practice at Stroz Friedberg.

In addition, companies should be familiar with the provider's technologies, such as what mechanisms the cloud firm has for logging, he says. In multitenant cloud environments, separating the logs of one client from another may be difficult. Businesses should also find out whether the provider will preserve data and hard drives for later forensics, and whether that is even possible in the cloud environment.

You need to make the lines of responsibility very clear, Dalva says.

"It may be very easy, or it may be very hard, but getting an appreciation for that stuff up front will make life a lot easier in the event of a breach," he says.

[What attacks are most likely against cloud computing environments? Here's a look -- and some advice. See How Cybercriminals Attack The Cloud.]

Before moving to the cloud, company management should discuss incident response with the cloud provider. Executives and IT managers should ask whether the cloud service provider offers enough assurances to protect data and respond to breaches, says Dave Anderson, senior director of marketing at Voltage Security, a data-encryption provider.

"Do you trust your cloud provider to securely or properly manage the data you are throwing up into the cloud? If the cloud providers are saying that we are not going to provide that level of end-to-end data protection for you, then it's up to you to do it," he says.

The response will also depend on the type of cloud service that a company uses: Platform-as-a-service (PaaS) and software-as-a-service (SaaS) will differ from infrastructure-as-a-service, such as Amazon EC2, because of the number of differences between cloud providers, Element's Westphal says.

The most important step for companies is to practice incident response exercises and include the cloud provider in the session, she says. IT managers should know who the point of contact is at the cloud service provider and who is responsible for contacting cloud providers.

"You need to know who the players are -- who would be involved and that they know what their roles are, so they are not trying to solve someone else's issue," Westphal says. "You can't buy that kind of preparation. The more prepared you are, the better off you will be."

While cloud providers may not provide much in terms of supporting incident response activities, that's changing, says Stroz Friedberg's Dalva.

"There is an opportunity for cloud providers that do do all the security stuff, and we are starting to see more effort to help clients with that," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
12/4/2013 | 10:34:06 AM
re: Enterprises Should Practice For Cloud Security Breaches
I completely agree with you, Robert! The majority of organizations do not have a formal application security training program in place. Due to the rapid change of technology and the rise of new platforms such as cloud and mobile, knowledge and skills are fundamental to software assurance. Without a thorough understanding and grounding in the principles, vernacular, tools, and practices for software security, your development teamGs effectiveness will be limited and you wonGt see the kinds of results you are expecting.

According to a recent research conducted by Security Innovation and the Ponemon Institute most organizations do not identify, measure, or understand security risks. Check out more details on this topic - http://blog.securityinnovation...
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.