- At issue: Plans are afoot to put some development servers in the cloud.
- Action plan: Come armed with the toughest possible security questions for the vendor.
Security Manager's Journal: At this point, the cloud remains too leaky
For a security manager, even a test environment could be too vulnerable when it's located in the Web-accessible cloud.
Computerworld - What great timing! I had no sooner returned from the RSA Conference, where my focus was on cloud computing, than I was invited to a meeting to discuss our first venture into "the cloud."
The IT department has decided to contract with an infrastructure-as-a-service provider to host a portion of our development environment. If this trial is successful, some of our production environment could be next. Having read up on the subject in white papers and attended seminars at RSA, I felt informed enough to ask the questions that needed to be answered before I could feel comfortable about an initiative that was going to open new portals to our network and our data.
And there's no question that this could expose us to new dangers.
Our plan is to move our SAP development environment to the cloud. Our developers typically test apps with our actual production data. It's not a problem when they put our financial data on a test server in our own data center. It's another matter entirely when the server is far away and out of our control. In this case, in fact, our hosted servers will actually be located at a hosting provider's data center, so there are two degrees of separation.
The plan is to configure several virtual Linux and Windows servers on a shared VMware ESX Server. The cloud vendor wants us to set up a VPN tunnel. I'm not thrilled that we won't control the VPN termination point, and it doesn't help that the termination point is a Linux server running open-source VPN software.
Compounding my concerns, the vendor wants us to use a shared key for VPN authentication between the devices. I have countered that plan by mandating the use of certificates to handle authentication. I have also established firewall rules that restrict the servers at the server farm from accessing our network.
Making Things Easy
Next in my sights was the Web-based management application that our technicians must use. When you put this application side-by-side with our current data center access controls, the vulnerabilities of the Web app are enough to make a grown security manager cry.
Currently, a bad guy would have to know the physical location of our data center, obtain a badge to enter the building, procure yet another badge and somehow beat the biometric hand scan in order to enter the data center -- and then he'd have know exactly which racks contain the servers he's targeting. In contrast, the Web app asks only for a username and password, it's available via the Internet, and all customers use the same URL. The only thing a bad guy needs is something like a keystroke logger. And here's a clue to how much the vendor values security: It gives clients temporary passwords with no requirement to change them upon initial log-in, and it doesn't enforce the use of complex passwords.
I had other questions as well, and the answers did not inspire confidence. How would we know if an unauthorized, rogue or disgruntled employee manipulated our environment? "Umm, well, uh, we haven't really thought about that, but our offering is strictly for development environments."
To join in the discussions about security, go to computerworld.com/blogs/security.
OK, then, how about encryption? "Since we cater to development environments, we advise customers not to use sensitive production data in the development environment." And do any customers really create data out of thin air, or do they just take what already exists from production?
The bottom line is that we have a long way to go before we establish a trust relationship between the cloud network and our company's network, and there is still quite a bit of room for improvement in cloud security.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts