Real-time computing. Real-time news.
July 14, 2008
The State of Cloud Security (Pt. 1): Fundamental Risks
1 | 2 | 3 All »
That cloud computing is risky probably doesn’t surprise you. You hand off your data to someone else, and the cloud provider might hand it off to someone else, from whence it might go somewhere else. Little details -- like where it’s being stored, who’s touching it along the way, and what safeguards are being taken -- aren’t always clear.
“The most significant issue for cloud computing is the simple fact that data storage falls outside the control of a company’s security infrastructure,” says Larry Ponemon, founder of the Ponemon Institute, which specializes in information security practices and privacy risk management.
A New Mountain to Climb
"[T]he cloud” has a big target painted on its side. For certain types of hackers, it’s an opportunity for new exploits, a new wall to climb, the thrill of sneaking into the servers of a very huge company. For other types, there’s the potential for a big data score. “Sophisticated cybercriminals are likely to see more value in cracking the cloud, which might contain data from a wide range of organizations,” Ponemon says.
You don’t see confirmed detailed reports, but cloud providers are attacked routinely. “Attacks are getting much more sophisticated, and more numerous,” says the CEO of one cloud services provider. “I can watch the firewall and sometimes there are a thousand probes a day into the grid infrastructure. I talk to other ISPs and hear that this is not uncommon. If you have an unprotected machine in the datacenter, it will be compromised within 10 minutes.”
“In the cloud or grid, everybody’s in the same datacenter, and this makes the security situation much worse than in a traditional environment,” says Dave Durkee, CEO of ENKI, a cloud services and virtual datacenter provider. “Everybody’s in the soup together. Cloud providers have to understand the threats and build better defenses. Too many cloud services today give their customers a software firewall and that’s it. Certain types of attacks can overwhelm a software firewall easily.”
“Cloud is almost synonymous with shared,” says John Engates, chief technology officer for Rackspace, the big IT systems hosting company with its own cloud division, Mosso. “Historically, shared has been a bad word in hosting and IT. Shared meant that you had only logical (software) security boundaries between customers and companies rather than the traditional physical boundaries you get with dedicated gear.” He added that today’s virtualization technologies have helped to mitigate certain security and resource-contention issues.
One of the biggest problems of that shared space is sharing resources from the communal pool. Companies who store files in the cloud need to be concerned about data leakage, says Craig Balding, technical security lead for a Fortune 500 company and a man so concerned about cloud security he started cloudsecurity.org. “Cloud storage gets recycled. The storage you freed an hour ago becomes my storage when I write my files,” Balding says. “The published API calls for cloud storage are pretty high-level … thus, on the surface, the opportunity for abuse, for devious data recovery, seems low. However, my gut feeling is that there will be incidents of data leakage -- through tricky or undocumented API usage or simply through failures of isolation. This will get solved over time, but there will be casualties.”
Dominique Levin, executive vice president of marketing and strategy for LogLogic, which makes network management/surveillance tools, says “there is nothing unique about cloud computing from a security point of view.” But don’t take a lot of comfort in that sentiment. “The consequences of a security breach could be much more severe when the data of many customers is aggregated in the cloud,” Levin says. “Rather than just impacting one organization, a security breach at a cloud provider could potentially impact many customers. This in itself attracts more accidental hackers and organized crime. … It may also be more tempting for rogue employees to monetize some of their legitimate access to customer data.”
Article Tools
Share Options
(Digg, Technorati, more)
