Cloud Security In Focus Amid Data Theft Fears - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud // Cloud Storage
Commentary
11/11/2009
03:23 PM
Alexander Wolfe
Alexander Wolfe
Commentary
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Cloud Security In Focus Amid Data Theft Fears

Yeah, I know, this is another one of those "everything changes" moments where we're prodded into frenzied activity--as opposed to effective action--because an emerging technology has surged ahead of our ability to properly manage it. I'm talking about cloud computing, and the attendant fears not just of data theft, but of breaches of SaaS computing resources themselves. Fortunately, there are a bunch of below-the-radar efforts attempting to address these worries.

Yeah, I know, this is another one of those "everything changes" moments where we're prodded into frenzied activity--as opposed to effective action--because an emerging technology has surged ahead of our ability to properly manage it. I'm talking about cloud computing, and the attendant fears not just of data theft, but of breaches of SaaS computing resources themselves. Fortunately, there are a bunch of below-the-radar efforts attempting to address these worries.Cloud security reared its head most recently, with Trend Micro chief technology officer Dave Rand being quoted as saying: "Between now and widespread adoption [of cloud computing] we will see massive data theft occurring as people move into the cloud."

Since adoption is ramping up, one can infer that such thefts are already ongoing. (Or, more scarily, one can take a short intellectual leap from my post, Admiral Warns Cybersecurity Threat Looms For U.S., and assume that cloud data thefts are already rampant, we're just not hearing about them.)

It's interesting to note that cloud security holes result not from any inherent shortcomings of the technology itself, but rather from its inherently greater exposure. Namely, it's visible on the Internet. Also, as I mentioned up top, our processes have not yet caught up with our financially induced rush to shed more secure (because they're better, though not entirely, hidden) self-hosted apps, in favor of the promised capex savings of SaaS equivalents.

The most succinct summary of the problem comes via the document, "Security Guidance for Critical Areas of Focus in Cloud Computing," which I encourage you to download from the Cloud Security Alliance [pdf is here], which speaks of the erosion of the traditional security perimeter:

"It is clear that the impact of the re-perimeterization and the erosion of trust boundaries we have seen in the enterprise is amplified and accelerated due to Cloud."

Operationally, one can analogize purchasing cloud services to owning a car. The manufacturer (or, in this case, the vendor) is responsible for creating a safe product. However, practically speaking, the buck stops with you the user as far as ultimately ensuring safe operation.

[Another way of viewing this is, cloud users have service level agreements, most of which have fine print blowing off responsibility for security. So maybe if there's a breach, you can still have your legal department sue the crap out of someone, but as the computer person in your org, that buck to which I referred will still be stopping at your desk.]

This means that cloud users cannot cede security to their provider. Adding complexity on top of this admittedly simplistic advice is the nuance of different clouds presenting different challenges. Or, as the Cloud Security Alliance's paper puts it:

"The key takeaway from a security architecture perspective in comparing the [different SaaS] models is that the lower down the stack the Cloud service provider stops, the more security capabilities and management the consumer is responsible for implementing and managing themselves."

Where does these leave us? Process-wise, right now both users and providers are groping towards a solution. As the CSA doc summarizes it:

"The relative maturity of Cloud Services will lead to history repeating itself with respect to security issues. Consumers, Businesses, Cloud Service Providers, and Information Security and Assurance professionals need to collaborate to shine a light on the potential issues and solutions listed above and to discover those not yet identified."

Next time, I'll take a look at some of the technical solutions being floated to address security in the cloud.

See also:

Wolfe's Den Interview: Pacific Labs CIO Talks Cloud Computing Security, and

Wolfe's Den Podcast: Trend Micro Takes Security To The Cloud.

Follow me on Twitter: (@awolfe58)

What's your take? Let me know, by leaving a comment below or e-mailing me directly at [email protected].

Alex Wolfe is editor-in-chief of InformationWeek.com.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
IT Careers: Top 10 US Cities for Tech Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/14/2020
Commentary
Predictions for Cloud Computing in 2020
James Kobielus, Research Director, Futurum,  1/9/2020
News
What's Next: AI and Data Trends for 2020 and Beyond
Jessica Davis, Senior Editor, Enterprise Apps,  12/30/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll