FREE MOBILE CLOUD
COMPUTING CONCEPTS - TRAINING_MODULES_WITH_TONS_OF_VIDEOS
What is Real Cloud Computing Security?
Post by Telly McGuire with Atlanta Ga. based Secure Cloud
Security and Firewalls, LLC
Virtualization and cloud computing want to optimize IT infrastructures and drive down
But there are dangerous risks, too....
Ten years ago, no one worried about wardriving
and password sniffing. Now, protecting against those threats is a regualr deal.
The risks and security implications of moving your sensitive data assets to the
cloud are not yet fully understood. One thing that’s clear, though, is that the cost advantages of moving to the cloud
means that it’s a matter of when, not if your site is "attacked."
Companies avoiding the cloud will quickly be at a disadvantage against their cloud-embracing
rivals. IT’s security toolbox will be much different in three years than it is today.
Cloud security may well have its proud moment, but it’ll eventually evolve.
How it will change, though, is not too clear, and the real truth
when it comes to cloud security advice is not too clear.
Many look at cloud security through a corporate LAN lens.
Others believe that any
data outside the corporate firewall is basically lost. Still others believe, like the novices, that the cloud providers will
take care of these problems for them.
some not good to believe cloud security misconceptions that could compromise overall security.
1. Data in the cloud is less secure than behind a corporate firewall.
One of the biggest
roadblocks to cloud adoption is security. Yet misconceptions about cloud security may actually be undermining security.
As IT gets squeezed by corporate budget cuts and an
ever greater need to stay on top of patches, upgrades and mushrooming vulnerabilities, the idea that you can handle security
better than a large cloud provider with deep pockets and a dedicated security staff is misguided.
“Remember, when a corporation loses sensitive
data, it’s usually an inside job,” said Barry Curry, VP of Products and Business Strategy at YouSendit,
a provider of secure digital content delivery services. “Some insider will have access to systems they shouldn’t,
and data is at risk.” Clearly, reducing or eliminating insider attacks is a huge security boon.
In many companies, once you are
approved, you can go pretty much anywhere you want. And how many enterprises have critical severs in unlocked rooms –
or even closets – that pretty much anyone can enter?
Ethernet ports are everywhere.
Being inside the building essentially means that you are deep inside the network.
Compare that to a cloud vendor. They have multiple data centers – backup and disaster
recovery should be a given with the cloud – and anyone entering must pass through layers of physical and often biometric
reputable cloud vendors must comply with numerous regulations, are audited frequently and their business depends on delivering
secure access to data.
Major breaches equate with major
Finally, in an enterprise setting,
security is often the last thing IT worries about. Instead they spend the bulk of their time on mundane, cumbersome tasks
like patches and password resets. In these days of doing more with less, there may not even be a dedicated security professional
If a cloud provider’s security
is as lax as it is at many enterprises, they won’t be in business very long.
2. All clouds are created equal.
Even though cloud providers should deliver better security, that doesn’t
mean all of them will.
speak and think of the cloud generically. A cloud is a cloud is a cloud. Nothing could be further from the truth.
reliability and uptime can all vary greatly from provider to provider,” said Tommy Habal, Director of Product Marketing for Proofpoint, a SaaS
security and compliance provider.
Habal believes it’s important to have SLAs that go beyond basic
uptime and reliability.
should cover the applications themselves, and even what the vendor will do in the event of a breach or a DDoS
Cloud vendors should be scrutinized
just as closely as traditional hardware and software vendors. Conduct pilots, pick apart their security policies, negotiate
favorable SLAs and seek out third-party validation of their service.
3. A secure virtual machine on a public cloud is equivalent to a secure
physical machine inside the enterprise.
While many cloud security misconceptions emanate from cloud skeptics, the early adopters have their own misconceptions.
A big one is that virtual machines are every bit as secure as physical ones.
“There are multitudes of attacks on the virtual machines that can be launched from
another virtual machine running on the same cloud hardware. So, securing the data by security communication alone, such as
by https or VPN, will still be insecure,” said SanjeeveKothari, founder and CEO of CipherCloud.
“It’s critical to make sure data is encrypted
at rest – even before it leaves the enterprise,” Kothari said.
This goes back to the “all clouds are equal”
point. If your cloud provider does not encrypt data at rest, then they probably aren’t
as serious about security as you are.
applications aren’t as secure as traditional shrink-wrap software.
The perception is that traditional software goes through
a longer, more involved vetting process than cloud-based applications. Vulnerabilities, though, tell a different story.
Cloud-based applications are constantly patched and
updated. In contrast, patching for traditional software is left to end users.
“Cloud applications don’t stand still,” said Curry of YouSendIt.
“As a cloud vendor, we do a release to the software every week. Every quarter, we do a refresh to the client code base
and push that out, and in some cases, rebuilds are daily with certain web apps.”
I guarantee that your on-premise applications aren’t
refreshed and patched every week or every day. No IT staff can keep up with that. With SaaS
and cloud application providers, though, many focus only on a single application or suite of applications.
It’s what they do, and it’s all they do. The apps must be rock solid,
or, again, customers will go elsewhere.
cloud is just a small part.
Cloud computing makes it far easier to bring devices like smartphones and tablets into
contact with enterprise applications. Hackers are increasingly focusing on smartphones, and
you can bet there will be tons of vulnerabilities found in 99-cent apps.
However, the rise of the cloud and post-PC devices marks a shift in computing. We’re
moving away from a model where processing and storage were device-side tasks to one where critical information never leaves
the data center.
The not true
belief is that mobile devices are much riskier than PCs. That’s not necessarily true. Mobile devices that offload
processing and storage to the cloud are already more secure simply by not having important data residing on the client.
piece of security on mobile devices will be user identities and credentials. If those are bolstered, a lost phone will represent
nothing more than a minor inconvenience. Compare that to a lost laptop. Lost laptops were responsible for many major data
loss incidents, including more than one for the VA.
Let’s go smaller than the laptop to the thumb drive. The Department
of Defense was penetrated by the Chinese via corrupted thumb drives.
Cloud computing will eliminate multiple copies of files
stored in multiple places, and, if all of your data is in the cloud, will you need to plug in a thumb drive at all?
The threat from
mobile devices can’t be understated, but as with many new technologies before, security will evolve to offer better,
more device-specific protection.......