How data security can vaporize in the cloud
IT managers should consider security, legal issues before signing up for hosted storage services
October 15, 2009 07:08 AM ETComputerworld - PHOENIX -- While hosted cloud computing may be all the rage for reducing cost of ownership and management, IT managers say hosted storage services present dramatic security challenges and legal implications that need to be considered.
Arthur Lessard, chief information security officer at toy manufacturer Mattel Inc., in El Segundo, Calif., said during a presentation at Storage Networking World on Wednesday that cloud computing is appealing, even if many end users don't know what the word "cloud" means. For example, many confuse cloud computing with pure server and storage virtualization or simply backing up data to a remote site.
True cloud services should be characterized by grid-architected hosts with central management, applications that can be ported seamlessly from system to system, capacity that is easily provisioned and significant data redundancy, he said.
"We're talking software as a service," Lessard said.
When storage is hosted offsite in a virtualized server and disk array environment, cloud computing presents real limitations around authentication and auditing - especially auditing of logging. The lack of auditing capabilities may affect the ability to record user logins, administrative actions and data writes, Lessard said.
"What I can't find out is who has been reading the data files, and ... depending on what business you're in, that might be important," he said.
Also, there's usually no indication of login anomalies, such as repetitive attempts to log into a site under an incorrect name and password. That information is kept by the vendor and is usually part of a contract negotiation process. With respect to authentication, or who sets up the accounts and what control you have over accounts and how they're provisioned, most vendors offer self-registration into your applications, "and that can have holes," Lessard said.
"Most authentication in a cloud environment is done through user name and password only, so if I had a nifty two-factor authentication set up or biometrics, it's no longer offered," he said.
Most service providers also have restrictions against penetration testing of the cloud by their customers.
"To be honest, I can't blame the vendor because by doing penetration testing against their environment for your applications, it could impact someone else's applications," he said. "Remember, it's a cloud, and you don't have a lot of control over where my stuff is running or where it sits."
Hackers can exploit security holds associated with hardware and software cloning in virtual server environments. Most operating systems have unique or personalized components when they're installed on hardware, and the OSes rely on the hardware to generate random numbers for public and private encryption key pairs and user IDs, even when they're being cloned onto new systems.
cloud computing
Additional Resources



White Papers & Webcasts
Tape Killed the IT Guy
Watch Now
Cache Tier Memory Efficiency with Gear6 Web Cache
Download this valuable white paper!
Customer Video: Cardinal Health
Download Now
Connecting to the Cloud with F5 and VMware VMotion
F5 and VMware partner to enable live application and storage migrations between datacenters and clouds, over short or long distances.
Virtualize Microsoft Applications on VMware
Register for this live webcast now!
F5 Virtualization Guide: Seven Key Challenges You Can't Ignore
Seven Key Challenges You Can't Ignore
Strategic ECM Webinar
Learn what new strategic business benefits can be realized through ECM!



