Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/28/2011
02:34 PM
50%
50%

Putting Data In The Cloud? Retain Control

Security researcher warns many companies are trading catastrophic problems for gains in efficiency

At the beginning of Stanley Kubrick's epic, "2001: A Space Odyssey," apes benefit from the use of technology, in the form of a club. By the end of the movie, however, humans are threatened by the technology used to help them survive in the stars, the artificial intelligence HAL.

In some ways, this technological arc -- from tool to master -- is an apt allegory for companies entering the cloud, Davi Ottenheimer, president of security consultancy Flying Penguin, plans to argue in his presentation at the B-Sides Security conference in Las Vegas next week. Firms seeking greater efficiency and more features may rely on the technology of a cloud provider, leaving themselves vulnerable to a single security incident.

In his presentation, Ottenheimer plans to draw illustrate the need a more secure approach to clouds using the themes from "2001: A Space Odyssey."

"The central question for companies is, 'Do you have control?'" Ottenheimer says. "The fight between the humans and HAL in a nutshell is the fight between the customers and the cloud provider. Humans reliance on the tools to survive in space is almost their undoing, and reliance on cloud services can similarly be a firm's undoing."

Reliance on cloud vendors' security has led to a number of high profile breaches. In March, marketing service provider Epsilon reported a massive breach of its systems that led to more than 100 large companies -- including such giants as Citibank, JPMorgan Chase and Walgreens -- sending out warnings to their customers.

Dropbox is another example. Individuals can put business-sensitive data into the cloud storage service, where anyone with access to the server could potentially read the file because it uses a central encryption key. While the design of the cloud service allows third party's to access their users' accounts to offer interesting services, it also leaves the data much less secure than a system that encrypted the data before sending it into the cloud, Ottenheimer says.

A number of companies are providing encryption services to secure data inside the cloud. CloudSwitch, for example, allows companies to run their software and store their data in a private or public cloud in its own encrypted network. Another company, CipherCloud, allows companies to use other services, such as Salesforce.com, but encrypt their data.

"Companies are really helped ... by just thinking out how to protect their data," says Varun Badhwar, vice president of business development for CipherCloud, a security provider. "Once they have figured data protection out, then they are better off, because their cloud applications can be used the way they want to."

For companies that want to roll their own solution, turning to encryption standards such as the Symmetric Key Services Markup Language (SKSML) can help secure data before shipping it off to a cloud provider's facility.

Ottenheimer stresses that cloud services themselves are very useful, but the ones that require a company to give up securing its data are dangerous. "You can centralize everything, as long as you don't give up control," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Musthaq
50%
50%
Musthaq,
User Rank: Apprentice
2/10/2012 | 3:52:25 PM
re: Putting Data In The Cloud? Retain Control
Information is good... can you please tell me how actually data is kept in the cloud ?? and what are the techniques used at present to provide security for the uploaded data into the cloud???
-
Please mail the answer..... [email protected]
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.