Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, August 09, 2010

Seeking Clarity in the Cloud’s Security Haze

Corporate execs and IT managers may soon get clearer answers to fuzzy questions regarding how secure or insecure cloud computing really is.  In an effort to solve that lingering mystery, the non-profit Open Security Foundation (OSF) late last month launched its website.  The new website is aimed at empowering organizations by providing cloud security Planning for the next peak season?

OSF officials hope that business and security users will be able to apply the independent data provided to better assess security risks related to the cloud.  The goal is to bring enhanced visibility and transparency to cloud security.

A recent survey by LogLogic showed that companies in the financial industry are slow to adopt cloud services out of worries about increasing government security regulations that cloud providers may not be able to handle.  “Our survey revealed that 60 percent of respondents had concerns about security and transparency issues related to the cloud,” Dimitri McKay, security architect for LogLogic, told TechNewsWorld.

Cloud technology right now is prompting many emotional concerns that only grow in the face of FUD (fear, uncertainty and doubt), noted Jake Kouns, chairman and CEO of the Open Security Foundation.  “I can’t say either way that the cloud is any more or less secure than traditional network storage….  Those who say otherwise don’t have all the facts,” Kouns told TechNewsWorld.

In some respects the cloud is like a no-man’s land where no law and order is in place.  No one entity is in charge, he mused.  “Not all providers agree on security requirements and do it the same way…. There is no one standard,” he said.

Ultimately, it is up to cloud customers to know about cloud security.  But that is a costly research task that cloud vendors are better able to handle, suggested Michael Sutton, vice president of security research for Zscaler.  “There is no straight answer to the cloud security question…  The cloud can be and should be more secure than it is,” Sutton told TechNewsWorld.

The key lies in the hands of customers.

In July, cloud security firm Zscaler announced the availability of a fully integrated email and Web security service that adds email security to its existing Web and cloud security portfolios.

Data security on a network is different than securing the data stored on the cloud.  It is harder to do, Sutton offered.  Having a security firm to handle it requires a company’s IT department to have a unique mindset about security, said Sutton.  “The difference is in the controls used.  A company using the cloud cannot risk having inferior security.  But there are no guarantees,” he said.

It is easier to understand the unique nature of cloud security issues when you view them in the context of a housing environment.  The difference between traditional network and cloud storage security is much like the differences in securing a single-family home and a condo.  For instance, the same controls that we use to lock down a single house are not going to work as well in the condo environment, suggested Kouns.  You can protect the perimeter with firewalls and intrusion protection and anything else you want to do.  “But once you get inside, it’s kind of wide open.”  You have to apply differently the same controls and security.

Perhaps the most complicating factor in figuring out how to better lock down cloud storage is what security experts call the cloud’s multi-tenant environment.  There are no standards on how clouds interact, noted Kouns.  “Regulatory compliance agencies need to see virtualization and cloud platforms as more than a new toy,” said LogLogic’s McKay about their security issues.

OSF’s new Cloutage Project seeks to foster a solution to the cloud security question.

Posted on 08/09