A storm-front is brewing for cloud computing, writes Paul Zimski, vice-president of market strategy at Lumension. As developers continue to reach towards the sky with insecure infrastructure, the chances for a disastrous squall increase every day.
The cloud undoubtedly provides organisations with the opportunity to save money and achieve efficiency, by leveraging virtualisation to centralise applications, storage and platforms into pay-as-you-go, scalable bites of a single system or network. But without security embedded into underlying technology that supports cloud computing, businesses are setting themselves up for a fall.
The internet lacks the fundamental security protocols necessary to secure things as they are. By building consolidated piles of data on top of this shaky foundation, enterprises and other organisations are looking for trouble.
When speaking to reformed hacker Michael Calce - infamous for taking down websites such as CNN.com, eBay and Yahoo! in 2000 - he agreed that trouble looms ahead if companies fail to apply the right security measures.
Placing risk on top of the risks
Moving to a virtual environment to save on costs automatically introduces fresh risk on top of existing risk. Unfortunately, the problem of cloud security is being exacerbated by the very economic climate that is driving CIOs to buy into the cloud model in the first place. People are attempting to load up as many applications as possible onto individual servers, and whether they do that in their own environment or push it off into the cloud, it creates the same issue. It is becoming increasingly common for network and physical security to be sacrificed to provide cost savings.
Back to security basics
One of the core aspects to keeping the cloud safe for all users is the adherence to the basic security principles that apply in the non-virtualised world. It is imperative that people do the basics: minimise administrative privilege; support enforcement of the rule of least privilege; and absolutely stay on top of vendor patches.
While many cloud and virtualisation vendors tout their patch management capabilities, the enterprise needs to be mindful that it is only patch management for the vendor's software components. The customer is still responsible for keeping their virtual machines up-to-date.
A recent report conducted jointly by EMC's RSA security division and IDG Research Services interviewed 100 security executives at companies with revenues of £1 billion or more. Of these executives, close to half said they either have enterprise applications or business processes running in the cloud or will begin migration in the next year. At the same time, two-thirds don't have a security strategy for cloud computing, a worrying statistic for those with such a significant revenue amount.
In a nutshell, cloud computing is hugely beneficial for the enterprise and while still evolving, will be around for the long haul. It is therefore vital that those who embrace it adopt a long term security strategy or risk falling short. Although economically viable, cloud computing may turn into a very expensive venture for those who neglect to implement and maintain a solid security practice for their virtual environment.