Is anyone in control of cloud security?
by Phil Lieberman - President and CEO, Lieberman Software - Tuesday, 7 December 2010.
Historically, IT data centers have always been in secured physical locations. Now with cloud computing those locations are no longer maintained directly by the IT organization. The question comes down to this: how do you get accountability for management of physical assets that are no longer under your physical control, and exactly what control mechanisms are in place? Can you trust your cloud vendor to secure your most sensitive data? Moreover, if there’s a security breach in the cloud, who is to blame? Is it the cloud vendor that disclaims all legal liability in its contract, or an enterprise that relinquishes control of its sensitive data in the first place?

From the vendor’s standpoint, cloud computing promises to reduce customer headcount, make IT more efficient and deliver more consistent service levels. However, there’s a paradox that when it comes to security (and control over privileged identities in particular) cloud services are often among the least efficient. Many cloud service providers’ processes – based on ad-hoc techniques like scripting of password changes – are slow, expensive and unreliable. And that’s dangerous.

Fortunately the industry is starting to move beyond paralyzing discussions about the security and compliance problems that arise from cloud computing to address them head on. One example of this is the Trusted Cloud Initiative, which was launched at RSA Conference 2010. The goal of the initiative is “to help cloud providers develop industry-recommended, secure and interoperable identity, access and compliance management configurations, and practices.” However, only time will tell if it will help standardize cloud computing or turn out to be a technology certification of little use.

In addition, several major cloud vendors and ISPs have begun the difficult task of integrating security solutions that are capable of managing the large number of privileged identities that make up their infrastructure (hardware, VM hosts, VM Image OS, application stacks). This has really broken the fundamental model of IT being in control of security and has started to blur the lines between vendor and customer when it comes to the management of security.

The end user's challenge: Transparency

In my opinion, the cloud is a really good, compelling idea. It can reduce the cost of IT dramatically. Given that cloud computing is available, the idea of building new data centers these days seems like a last-century way of doing things. On the other hand, for enterprises, the ability to see and touch your own systems in your secured data center does give confidence that you have some measure control of your destiny. But most large corporations don’t have enough IT people or security talent to manage the IT resources they have, and so are turning to outsourcing. Cloud computing is essentially the next generation of outsourcing, so that we’re not only reducing man power, but we’re getting rid of our hard assets entirely by moving them over to data centers anywhere on the planet that are going to manage this more cheaply than we ever could. And the idea of outsourcing security and liability is extraordinary compelling.

Enterprises should ask the right questions of their cloud providers before taking the leap into cloud and blindly assuming that their data is safe there. Every point of compliance that you’re asked to meet an IT organization and every question you’ve been asked by an auditor should apply to your cloud vendor – and needs to be asked of them. And because today’s cloud vendors offer literally no transparency and little information, don’t be surprised if you don’t like the answers you get. Most cloud vendors would say that for security purposes, it’s on a “need to know” basis, and you don’t need to know. Others state that they’re SAS 70 compliant, but that’s really just a self-certification.

Here are some questions you must consider asking
  • What kind of security does the cloud service provider have in place to protect your privileged accounts and most sensitive data?
  • Do they have a Privileged Identity Management technology in place?
  • How do they control privileged accounts used in cloud infrastructure to manage sensitive systems and data?
  • How do they manage cloud stacks at the physical layer and application stack layers?
  • What is your access to audit records?
Whatever regulatory standards your organization must meet, so too must your cloud vendor. So if you think that by venturing into the cloud you’re saving yourself regulatory headaches, think again.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th