A storm-front is brewing for cloud computing, writes
Paul Zimski, vice-president of market strategy at Lumension.
As developers continue to reach towards the sky with insecure
infrastructure, the chances for a disastrous squall increase every
day.
The cloud undoubtedly provides organisations with the
opportunity to save money and achieve efficiency, by leveraging
virtualisation to centralise applications, storage and platforms
into pay-as-you-go, scalable bites of a single system or network.
But without
security embedded into underlying technology that supports cloud
computing, businesses are setting themselves up for a fall.
The internet lacks the fundamental security protocols necessary
to secure things as they are. By building consolidated piles of
data on top of this shaky foundation, enterprises and other
organisations are looking for trouble.
When speaking to
reformed hacker
Michael Calce -
infamous for
taking down websites such as CNN.com, eBay and Yahoo! in 2000 -
he agreed that trouble looms ahead if companies fail to apply the
right security measures.
Calce says
putting everything into a single box will only make it easier for
hackers.
Placing risk on top of the risks
Moving to a virtual environment to save on costs automatically
introduces fresh risk on top of existing risk. Unfortunately, the
problem of cloud security is being exacerbated by the very economic
climate that is driving CIOs to buy into the cloud model in the
first place. People are attempting to load up as many applications
as possible onto individual servers, and whether they do that in
their own environment or push it off into the cloud,
it creates the same issue. It is becoming increasingly common
for network and physical security to be sacrificed to provide cost
savings.
Back to security basics
One of the core aspects to keeping the cloud safe for all users
is the adherence to the basic security principles that apply in the
non-virtualised world. It is imperative that people do the basics:
minimise administrative privilege; support enforcement of the
rule of least privilege; and absolutely stay on top of vendor
patches.
While many cloud and virtualisation vendors tout their patch
management capabilities, the enterprise needs to be mindful that it
is only patch management for the vendor's software components. The
customer is still responsible for keeping their virtual machines
up-to-date.
A recent report conducted jointly by EMC's RSA security division
and IDG Research Services interviewed 100 security executives at
companies with revenues of £1 billion or more. Of these executives,
close to half said they either have enterprise applications or
business processes running in the cloud or will begin migration in
the next year. At the same time, two-thirds don't have a security
strategy for cloud computing, a worrying statistic for those with
such a significant revenue amount.
What next?
In a nutshell, cloud computing is hugely beneficial for the
enterprise and while still evolving, will be around for the long
haul. It is therefore vital that those who embrace it adopt a long
term security strategy or risk falling short. Although economically
viable, cloud computing may turn into a very expensive venture for
those who neglect to implement and maintain a solid security
practice for their virtual environment.
Top five cloud computing security issues >>