Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:34 PM

Putting Data In The Cloud? Retain Control

Security researcher warns many companies are trading catastrophic problems for gains in efficiency

At the beginning of Stanley Kubrick's epic, "2001: A Space Odyssey," apes benefit from the use of technology, in the form of a club. By the end of the movie, however, humans are threatened by the technology used to help them survive in the stars, the artificial intelligence HAL.

In some ways, this technological arc -- from tool to master -- is an apt allegory for companies entering the cloud, Davi Ottenheimer, president of security consultancy Flying Penguin, plans to argue in his presentation at the B-Sides Security conference in Las Vegas next week. Firms seeking greater efficiency and more features may rely on the technology of a cloud provider, leaving themselves vulnerable to a single security incident.

In his presentation, Ottenheimer plans to draw illustrate the need a more secure approach to clouds using the themes from "2001: A Space Odyssey."

"The central question for companies is, 'Do you have control?'" Ottenheimer says. "The fight between the humans and HAL in a nutshell is the fight between the customers and the cloud provider. Humans reliance on the tools to survive in space is almost their undoing, and reliance on cloud services can similarly be a firm's undoing."

Reliance on cloud vendors' security has led to a number of high profile breaches. In March, marketing service provider Epsilon reported a massive breach of its systems that led to more than 100 large companies -- including such giants as Citibank, JPMorgan Chase and Walgreens -- sending out warnings to their customers.

Dropbox is another example. Individuals can put business-sensitive data into the cloud storage service, where anyone with access to the server could potentially read the file because it uses a central encryption key. While the design of the cloud service allows third party's to access their users' accounts to offer interesting services, it also leaves the data much less secure than a system that encrypted the data before sending it into the cloud, Ottenheimer says.

A number of companies are providing encryption services to secure data inside the cloud. CloudSwitch, for example, allows companies to run their software and store their data in a private or public cloud in its own encrypted network. Another company, CipherCloud, allows companies to use other services, such as Salesforce.com, but encrypt their data.

"Companies are really helped ... by just thinking out how to protect their data," says Varun Badhwar, vice president of business development for CipherCloud, a security provider. "Once they have figured data protection out, then they are better off, because their cloud applications can be used the way they want to."

For companies that want to roll their own solution, turning to encryption standards such as the Symmetric Key Services Markup Language (SKSML) can help secure data before shipping it off to a cloud provider's facility.

Ottenheimer stresses that cloud services themselves are very useful, but the ones that require a company to give up securing its data are dangerous. "You can centralize everything, as long as you don't give up control," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/10/2012 | 3:52:25 PM
re: Putting Data In The Cloud? Retain Control
Information is good... can you please tell me how actually data is kept in the cloud ?? and what are the techniques used at present to provide security for the uploaded data into the cloud???
Please mail the answer..... musthaq786srk[email protected]
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.
PUBLISHED: 2019-12-05
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.