Securing the keys to the cloud

Computerworld -

Business networking site LinkedIn suffered a security breach in June that resulted in the theft of more than 6 million user account passwords, which were subsequently published online. Although the company says there were no reports of compromised accounts, the incident garnered headlines about the risks of the cloud.

And in April 2011, a server breach at email marketing company Epsilon Interactive exposed the names and email addresses of millions of people. The company said unknown intruders broke into one of its email servers and accessed the names and email accounts of some of its 2,500 corporate customers.

As these incidents show, the cloud is still very much a work in progress when it comes to security. Although many cloud service providers claim they can secure their customers' data, security problems are surfacing as the technology takes hold at more organizations.

Gilmore says he sees cloud security risk breaking down into two major categories: malicious attacks and malicious content.

"Malicious attacks would be in the form of something like the attack that happened to LinkedIn," Gilmore says. "Many of the cloud service providers started off small and on a shoestring budget. As the companies grew, the infrastructure grew, but most likely the simple architecture design that helped the company get off the ground did not mature as the company expanded. I believe this is what happened in the LinkedIn case."

The second category, malicious content, comes in the form of viruses and malware. "Public cloud sites such as Google, Amazon and Facebook are all breeding grounds for such malicious code and are a danger to any enterprise that either employs them or allows them to be utilized as work tools," Gilmore says. "I think the biggest flaw in this whole design is the lack of end-user administration control over the cloud resources."

When a company uses the cloud, it's "renting someone else's technology," Gilmore says. "You are relying on them to be diligent with security updates and using the latest and greatest security technologies. You have no way of knowing if that is actually happening."

The next big threat that will emerge, Gilmore predicts, is the "hijacking" of cloud resources. "As people fail to meet security standards, such as using complex passwords, and leave machines running for days on end, the likelihood of intrusion is going to increase and eventually resources will be hacked," he says.

Another thing to take into account when assessing the security of the cloud is the fact that many service providers are new to the market. "Due to all the publicity, multiple new companies and even older established companies with no previous IT, data management or security experience are getting into the business of cloud computing," says Jerry Irvine, CIO at Prescient Solutions, an IT services provider in Schaumburg, Ill.

"As a result, uneducated users and many small to midsize companies are looking at cloud services as simply a commodity purchase, comparing pricing and systems' flashy features, as opposed to the necessary functions of security, fault tolerance and integrity," Irvine says.

• 12 iPhones Apps That Will Make You a Networking Star
• 10 Careers Robots Are Taking From You
• Big Data Gold Isn't Always Where You Would Expect It
• 6 Tips to Build Your Social Media Strategy
• A walking tour: 33 questions to ask about your company's security
• 15 social media scams
• The 7 elements of a successful security awareness program