Ads by TechWords

See your link here
Receive the latest technology news and information.
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

Security Manager's Journal: At this point, the cloud remains too leaky

For a security manager, even a test environment could be too vulnerable when it's located in the Web-accessible cloud.

June 1, 2009 12:01 AM ET

Computerworld - What great timing! I had no sooner returned from the RSA Conference, where my focus was on cloud computing, than I was invited to a meeting to discuss our first venture into "the cloud."

The IT department has decided to contract with an infrastructure-as-a-service provider to host a portion of our development environment. If this trial is successful, some of our production environment could be next. Having read up on the subject in white papers and attended seminars at RSA, I felt informed enough to ask the questions that needed to be answered before I could feel comfortable about an initiative that was going to open new portals to our network and our data.

And there's no question that this could expose us to new dangers.

Trouble Ticket

  • At issue: Plans are afoot to put some development servers in the cloud.
  • Action plan: Come armed with the toughest possible security questions for the vendor.

Our plan is to move our SAP development environment to the cloud. Our developers typically test apps with our actual production data. It's not a problem when they put our financial data on a test server in our own data center. It's another matter entirely when the server is far away and out of our control. In this case, in fact, our hosted servers will actually be located at a hosting provider's data center, so there are two degrees of separation.

The plan is to configure several virtual Linux and Windows servers on a shared VMware ESX Server. The cloud vendor wants us to set up a VPN tunnel. I'm not thrilled that we won't control the VPN termination point, and it doesn't help that the termination point is a Linux server running open-source VPN software.

Compounding my concerns, the vendor wants us to use a shared key for VPN authentication between the devices. I have countered that plan by mandating the use of certificates to handle authentication. I have also established firewall rules that restrict the servers at the server farm from accessing our network.

Making Things Easy

Next in my sights was the Web-based management application that our technicians must use. When you put this application side-by-side with our current data center access controls, the vulnerabilities of the Web app are enough to make a grown security manager cry.

Currently, a bad guy would have to know the physical location of our data center, obtain a badge to enter the building, procure yet another badge and somehow beat the biometric hand scan in order to enter the data center -- and then he'd have know exactly which racks contain the servers he's targeting. In contrast, the Web app asks only for a username and password, it's available via the Internet, and all customers use the same URL. The only thing a bad guy needs is something like a keystroke logger. And here's a clue to how much the vendor values security: It gives clients temporary passwords with no requirement to change them upon initial log-in, and it doesn't enforce the use of complex passwords.

I had other questions as well, and the answers did not inspire confidence. How would we know if an unauthorized, rogue or disgruntled employee manipulated our environment? "Umm, well, uh, we haven't really thought about that, but our offering is strictly for development environments."

Join In

To join in the discussions about security, go to computerworld.com/blogs/security.

OK, then, how about encryption? "Since we cater to development environments, we advise customers not to use sensitive production data in the development environment." And do any customers really create data out of thin air, or do they just take what already exists from production?

The bottom line is that we have a long way to go before we establish a trust relationship between the cloud network and our company's network, and there is still quite a bit of room for improvement in cloud security.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Related Reading

Read more about security in Computerworld's Security Knowledge Center.



Jump to comments

cloud computing

Additional Resources

EFD vs. HDD - What You Need to Know
WHITE PAPER
Enterprise flash drives provide a new Tier 0 storage layer capable of delivering high I/O performance at a very low latency. Proper use of EFDs in an Oracle environment can deliver increased performance compared to fibre channel drives. Read the recommendations for identification of the best DB components for EFDs.
Gartner Research Report: Magic Quadrant for Application Delivery Controllers, 2009
WHITE PAPER
The market for products to improve the delivery of application software over networks remains dynamic and innovative. Vendors focused on solving enterprises' most-pressing application problems have become the top players.
Eight Criteria for Server Load Balancing
WHITE PAPER
Server load balancers are a simple yet highly effective means to scale an application environment while ensuring its availability. Today's solutions should also address application performance and security. Read about the top eight criteria you should consider when choosing a server load balancer and how Citrix NetScaler meets those requirements.

What People Are Saying

White Papers & Webcasts

Death to PST Files
Download Now  

Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".

eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!  

Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...


IT Jobs