Securing the keys to the cloud

As the cloud model is put to the test at more organizations, security holes and malware are coming to light. Here's how to cope.

Contributing writer, Computerworld |

Previous 1 2 3 4 Page 2 Next

Page 2 of 4

Gilmore says he sees cloud security risk breaking down into two major categories: malicious attacks and malicious content.

"Malicious attacks would be in the form of something like the attack that happened to LinkedIn," Gilmore says. "Many of the cloud service providers started off small and on a shoestring budget. As the companies grew, the infrastructure grew, but most likely the simple architecture design that helped the company get off the ground did not mature as the company expanded. I believe this is what happened in the LinkedIn case."

The second category, malicious content, comes in the form of viruses and malware. "Public cloud sites such as Google, Amazon and Facebook are all breeding grounds for such malicious code and are a danger to any enterprise that either employs them or allows them to be utilized as work tools," Gilmore says. "I think the biggest flaw in this whole design is the lack of end-user administration control over the cloud resources."

When a company uses the cloud, it's "renting someone else's technology," Gilmore says. "You are relying on them to be diligent with security updates and using the latest and greatest security technologies. You have no way of knowing if that is actually happening."

The next big threat that will emerge, Gilmore predicts, is the "hijacking" of cloud resources. "As people fail to meet security standards, such as using complex passwords, and leave machines running for days on end, the likelihood of intrusion is going to increase and eventually resources will be hacked," he says.

Another thing to take into account when assessing the security of the cloud is the fact that many service providers are new to the market. "Due to all the publicity, multiple new companies and even older established companies with no previous IT, data management or security experience are getting into the business of cloud computing," says Jerry Irvine, CIO at Prescient Solutions, an IT services provider in Schaumburg, Ill.

"As a result, uneducated users and many small to midsize companies are looking at cloud services as simply a commodity purchase, comparing pricing and systems' flashy features, as opposed to the necessary functions of security, fault tolerance and integrity," Irvine says.

Checklist

Tips for Better Cloud Security

1. Know your own infrastructure and that of your cloud provider. The less you know about the vendor's setup, the more vulnerable you are.

2. Ask your security and legal teams to review contracts with cloud providers. Verify that security assurances are legally binding.

3. Study your provider's service-level agreements so you understand all contractual obligations -- yours and the vendor's. Make sure that you can monitor your apps, and that the vendor will notify you in the event of a security breach.

4. When negotiating a contract, ask tough questions about the vendor's hiring policies and employee monitoring practices, because malicious insiders represent security risks.

5. Research security controls and make sure cloud providers have those controls in place. Also understand how vendors will handle breaches.

6. Understand that your company is ultimately responsible for the confidentiality and integrity of its systems. Identify vulnerabilities by conducting regular penetration tests of your cloud-based systems -- with the provider's help, if possible.

7. Implement your own security tools, such as complex passwords, data encryption and data access management software that integrates with the cloud infrastructure.

— Bob Violino (bviolino@optonline.net)

Previous 1 2 3 4 Page 2 Next

Page 2 of 4

It’s time to break the ChatGPT habit