The 6 Worst Cloud Security Mistakes

Unless you've been snoozing under an old mainframe in your data center, the pressure to push some of your IT operations off-site and into a service provider's "cloud" is probably weighing heavily on your mind as you face shrinking IT and security budgets and increasing compliance requirements. Let's face it: Everyone is under pressure to make do with less while providing more accountability for securing their data, especially small and midsize businesses. In some cases, that may mean outsourcing some of your IT operations as money and manpower gradually dwindle.

Rushing things when it comes to cloud computing can be very dangerous security-wise, but blowing off cloud computing all together because you think you can secure your own stuff better than a service provider isn't smart, either. A few more mistakes: assuming you're no longer responsible for your data's safety and security once you've handed it off to a provider, and thinking you are solely responsible for deciding whether and how your company uses software-as-a-service: Don't be surprised to discover you are the last to know that a couple of your business units are already deploying SaaS (and didn't bother to run it by IT security).

Those are a few of the common blunders enterprises make when they first look at, or decide to move their systems, applications, and/or data to, today's services-based model, a.k.a. cloud computing. Some other mistakes with cloud security: not verifying or testing the security of your cloud provider, failing to vet the provider's viability as a business, and tossing your insecure apps into the cloud as-is, expecting them to automatically become more secure.

Let's take an up-close look at six common secure cloud computing traps, and how to avoid falling into them.

It's only natural for security pros to be control freaks. Being charged with securing a company's data and intellectual property requires a healthy dose of paranoia and protectionism. But sometimes that leads to false impressions about cloud security. "One common mistake is that as soon as you talk about the cloud, [organizations] assume it's less secure than their own IT security operation," says Chenxi Wang, principal analyst at Forrester Research. "More control does not necessarily lead to more security."

In fact, with services such as Google's SaaS, data loss is less likely because the information is accessible from anywhere and anytime without saving it to an easily lost or stolen USB stick or CD, according to Eran Feigenbaum, director of security for Google Apps. And Google's security-patching process is more streamlined than a typical enterprise because its server architecture is homogeneous, he says. "Many attacks [come from a] lack of patch management and server misconfiguration...For Google, when the time comes to patch, we can do so across the entire platform in a uniform fashion," he said.

Then there's the more global view SaaS and other cloud providers have, Feigenbaum says. "As an enterprise, you only see a small slice of what's affecting you [threat-wise]," Feigenbaum said during a panel on cloud security at the RSA Conference in April. "A cloud provider can have the economy of scale for a holistic vision...the cloud shifts security and also makes it better," he said.

But that doesn't mean you should blindly trust your cloud provider, though the larger ones do tend to have a better handle on threats due to their size, Forrester's Wang says. "These people deal with security issues at more complex levels than your own IT team sees on a daily basis," Wang says. "It's a misconception to say cloud security is definitely less capable or more problematic."

Thus far, security has been one of the main hurdles to adoption of cloud-based services, says Michelle Dennedy, chief governance officer for cloud computing at Sun Microsystems. "Trust in the cloud, more than technical abilities, has been hindering adoption," Dennedy says. "But the cloud can be more secure than a private environment in many cases."

That said, don't assume instant security when you opt for a services provider. Be sure to verify how they secure your data and their infrastructure. "It's a mistake to simply trust them. You have to verify and audit them, or have some third-party audit them," says Dennis Hurst, security engineer for HP software and solutions, and a member of the Cloud Security Alliance.

Depending on the provider, that may not be so straightforward. Not all cloud computing firms are forthcoming about their security measures and provisions, and others just aren't communicating them very well, experts say. "There are a lot of unknowns about how that data center cloud is protected," said Jian Zhen, director of cloud solutions at VMWare, during the recent RSA panel discussion. "Cloud providers need to do a better job at explaining our controls and making sure people feel comfortable. It's not that we don't have better security -- it's just not enough transparency."

Be sure to verify that your cloud provider isolates systems in a secure way, HP's Hurst says. "Enterprises are not verifying that their systems and data are isolated," he says. "They just assume the virtual machines are being isolated...but their applications may run on a server with 100 other virtual machines, and the provider may not put in the appropriate level of isolation, or IP addresses aren't blocked by the firewall, for example."

Get a trusted third party to verify the cloud provider's security, or negotiate with the provider that you go on-site to test and verify it, he says. "The vendor should document how they isolate [clients], and it's straightforward to verify that," he says.

To confirm that VMs are protected, for instance, you could run a port scan out of the environment to confirm that you can't get to its other clients' machines, Hurst says.

A good indication that a cloud provider is, indeed, secure is just how forthcoming it is about its security and privacy. "That's an indication of how confident they are about their own capabilities," Forrester's Wang says. "It's a warning flag if they are not willing to talk."

During the past few years, Google, for instance, has begun providing more details about the security of its SaaS, including white papers, Feigenbaum says. "It might not be on the front page of our Website, and you might have to sign NDAs and meet behind closed doors, but that's the expected balance between security and visibility," he says.

Meanwhile, cloud computing offers an opportunity to build in security from the data side and out to the cloud, Sun's Dennedy notes. "This is a do-over for the Internet," she says. "This is not outsourcing on steroids or time-sharing all over again. We get to select the best security technologies of today and put them into secure cloud [offerings]," she says.

A third mistake is implicitly trusting a cloud provider without confirming the viability of its business. "If your provider disappears tomorrow, what do you do about it?" says HP's Hurst, who points to a case in Texas in which the FBI raided a hosting provider and seized its data center and computers after one of its systems had been allegedly used for illegal purposes.

"Only one computer was used for illegal purposes, but the rest got taken out, too," leaving its clients in the lurch, according to Hurst. "You almost have to plan for the worst. Make sure you get copies of all medical records, for example, on media that can be used so you can still function as a business" in case your cloud provider goes under for some reason.

You also need to find out whether the company has a disaster recovery plan. Vetting a small cloud provider can be more challenging, too.

The good news: It's rare to hear about a cloud computing firm going out of business, Forrester's Wang says. More than likely, the problem is related to its security practices, she says.

And because enterprises so far are only moving nonmission-critical applications like email or travel out to the cloud today, there's a little less risk of compromising other enterprise applications with these types of services, she says. Don't think outsourcing your applications or systems means you wash your hands of data breach accountability. That's a misconception some SMBs have, security experts say. Transferring protection of your data to the cloud provider doesn't mean you also hand off accountability when there's a breach.

"At the end of the day, it's your company that needs to be accountable for it. Your CEO [is at] risk of going to jail, not the cloud provider's," VMWare's Zhen said during the RSA panel.

Highly regulated firms are most apt to realize that, Forrester's Wang says. "You as the owner of the data are always responsible if you are liable to your customers," she says.

HP's Hurst says he experienced firsthand how an enterprise remains responsible even when its provider gets hacked. His previous employer outsourced the firm's health insurance information to an overseas provider: "It was a classic case," he recalls. "They sent a service to do some data-handling, and that cloud got hacked, but [the former] employer still had to say it had lost the [data] and had to pay for fraud-monitoring services."

"When you delegate a task of a business function, you can't abdicate responsibility," Hurst adds.

Dumping an old IT system with flawed and unpatched applications into the cloud doesn't automatically make it safe and secure. "No vendor is going to fix that for you," Sun's Dennedy says. "Don't expect to replicate the same [junk] and expect to get a different result...or you'll get garbage-in, garbage-out."

The key is properly preparing your applications and data for the transition, she says.

Cloud computing can provide better security and management if you pick the right provider, outsource the right operations, and plan properly. But for organizations that don't already have proper controls, this can be a big challenge.

"Security organizations don't always have control over their architecture," notes Michael Sutton, vice president of security research for Zscaler, pointing to Gartner research that shows 60 percent of enterprises are still using the older and more vulnerability-prone Internet Explorer 6.

"My jaw hit the floor when I heard that," Sutton says.

Even though an insecure application could be a little more protected in the cloud since it would be less accessible to your data center, in the end a poorly secured app is still vulnerable, HP's Hurst says. "It's still an insecure app, and any data it has access to can be exploited and stolen," he says. "If somebody attacked [the app] and used it to host a botnet, in the cloud you have less control, and [your] IDS is not going to see it."

Everyone knows IT security often gets labeled -- unfairly or not -- as a roadblock, rather than an enabler, of technology and business operations. That cultural divide sometimes leads to business units going out on their own and forging cloud computing deals without looping in security. "All of a sudden you woke up and the business unit was doing something with a cloud provider, but with no security relationships," HP's Sutton says.

The key is to prevent groups within the enterprise from "going rogue" and signing up for computing services without considering the security implications of these arrangements. "You want to have security policies that take control...defining what the cloud is as the company sees it, and what the security guidelines around it are," he says -- without making the policies so stringent and overbearing that they'll be tempted to work around the security group.

Forrester's Wang says it's common for IT not to know about cloud services being used within the company. "Jump in as early as you can -- be an early participant," Wang says. "If the security team gets involved earlier in the evaluation and assessment process and is able to identify the right [service] for cloud computing needs, you've got a secure way to use or deliver functionality in the cloud and enjoy the benefits."

That, of course, requires understanding the business side of the equation, not just the technology side.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.