Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:34 PM

Putting Data In The Cloud? Retain Control

Security researcher warns many companies are trading catastrophic problems for gains in efficiency

At the beginning of Stanley Kubrick's epic, "2001: A Space Odyssey," apes benefit from the use of technology, in the form of a club. By the end of the movie, however, humans are threatened by the technology used to help them survive in the stars, the artificial intelligence HAL.

In some ways, this technological arc -- from tool to master -- is an apt allegory for companies entering the cloud, Davi Ottenheimer, president of security consultancy Flying Penguin, plans to argue in his presentation at the B-Sides Security conference in Las Vegas next week. Firms seeking greater efficiency and more features may rely on the technology of a cloud provider, leaving themselves vulnerable to a single security incident.

In his presentation, Ottenheimer plans to draw illustrate the need a more secure approach to clouds using the themes from "2001: A Space Odyssey."

"The central question for companies is, 'Do you have control?'" Ottenheimer says. "The fight between the humans and HAL in a nutshell is the fight between the customers and the cloud provider. Humans reliance on the tools to survive in space is almost their undoing, and reliance on cloud services can similarly be a firm's undoing."

Reliance on cloud vendors' security has led to a number of high profile breaches. In March, marketing service provider Epsilon reported a massive breach of its systems that led to more than 100 large companies -- including such giants as Citibank, JPMorgan Chase and Walgreens -- sending out warnings to their customers.

Dropbox is another example. Individuals can put business-sensitive data into the cloud storage service, where anyone with access to the server could potentially read the file because it uses a central encryption key. While the design of the cloud service allows third party's to access their users' accounts to offer interesting services, it also leaves the data much less secure than a system that encrypted the data before sending it into the cloud, Ottenheimer says.

A number of companies are providing encryption services to secure data inside the cloud. CloudSwitch, for example, allows companies to run their software and store their data in a private or public cloud in its own encrypted network. Another company, CipherCloud, allows companies to use other services, such as Salesforce.com, but encrypt their data.

"Companies are really helped ... by just thinking out how to protect their data," says Varun Badhwar, vice president of business development for CipherCloud, a security provider. "Once they have figured data protection out, then they are better off, because their cloud applications can be used the way they want to."

For companies that want to roll their own solution, turning to encryption standards such as the Symmetric Key Services Markup Language (SKSML) can help secure data before shipping it off to a cloud provider's facility.

Ottenheimer stresses that cloud services themselves are very useful, but the ones that require a company to give up securing its data are dangerous. "You can centralize everything, as long as you don't give up control," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/10/2012 | 3:52:25 PM
re: Putting Data In The Cloud? Retain Control
Information is good... can you please tell me how actually data is kept in the cloud ?? and what are the techniques used at present to provide security for the uploaded data into the cloud???
Please mail the answer..... [email protected]
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...