Managed service provider (MSP) business model

cloud security issues

  • Why aren't all enterprises building private clouds?

    While many companies are attempting to justify a private cloud move, not all infrastructures are ready for such a massive organizational change. 
  • Cloud computing tutorials

    SearchCloudComputing.com’s tutorials provide IT professionals with the latest information on how cloud computing technology is being used today, including cloud development,...
  • Microsoft sets Azure free; Appliance flutters to Fujitsu

    Azure has spread beyond Redmond; Fujitsu will offer its own batch of Microsoft's cloudenvironment later this summer. 
  • Tools to unlock private cloud's potential

    Private clouds offer a plethora of possible advantages, but certain tools are needed to unleash their full power. Our expert explains what these tools are and how to use them.
  • Analyzing today's hybrid cloud architectures

    Everyone wants a hybrid cloud, but not all major vendors provide them. Take a look at the more prominent hybrid environments, along with tips and tricks for hybrid cloud adoption.
  • Iron Mountain exit hints at cloud storage shift

    As big players like Iron Mountain change gears on cloud storage, users are turning to new tools and commodity cloud services. 
  • Why enterprise security hates the cloud: Change is hard

    Everyone wants cloud to fit into their preexisting systems, but adopting and securing thecloud takes time and effort that many organizations just can't handle. 
  • Cloud security advances not yet on IT radar

    Though cloud-friendly security tools have trickled into the market, IT pros are far more interested in securing existing enterprise platforms. 
  • Can you trust your public cloud provider?

    Secure public cloud services aren't a pipe dream; service providers just have to connect some of the dots. How close are we to regulatory compliance in the cloud
  • Applications interfere with cloud computing adoption

    Legacy applications have surfaced as the true challenge in moving to private cloud

Security issues in cloud computing

What do cloud-focused IT administrators and enterprise security teams fear more than anything? Cloud security issues. Even though the cloud continues to grow in popularity and respectability, complications with data privacy and data protection still plague the market.
This primer on cloud security hitches offers up all our recent cloud security news, technical tips and detailed tutorials. It will attempt to answer maybe the most important cloud-oriented question: How much should we worry about cloud computing security?
Chris Whitener, HP's chief security strategist, said companies are eager to jump into cloud computing to reduce capital costs, reduce the need to manage computing infrastructure and leverage the on-demand capabilities of utility-type computing offered by the cloud. But they often fail to do so without assessing cloud computing security risks.
"The No. 1 thing you shouldn't do is approach this with complete ignorance," Whitener said. "And unfortunately, this is something that a lot of people do. Understand and limit your risk profile. If you approach this with complete abandon, you're asking for it."
The Top Threats to Cloud Computing document released today ranks seven threats that apply across all of the different cloud computing models: infrastructure as a service, platform as a service and software as a service.
Abuse and nefarious use of cloud computing is the top threat identified by the CSA. We're already seeing this in action with the use of botnets to spread spam and malware. Attackers can infiltrate a public cloud, for example, and find a way to upload malware to thousands of computers and use the power of the cloud infrastructure to attack other machines.
"The research brings out the fact that there are certain characteristics that the cloud is especially good at in terms of either being used as a platform for attacking, or in some cases, having amplified certain kinds of vulnerabilities," Whitener said.
The CSA also cautions against insure application programming interfaces (APIs) that are used between applications for interoperability. Whitener used the example of a user logging in to a banking or tax program hosted in the cloud. Tokens are created that pass log-in information between applications using APIs that are often open to attack. "The interfaces passing these tokens don't always make sure that the programs passing them are legitimate," Whitener said.
"The API interfaces are vulnerable to people giving them a blunt call and asking them to bring up tax information, for example. We haven't been programming as a technology in one of these environmentss where it's just completely open; we've always written applications with the assumption that our own IT organizations would run them and we wouldn't have all this stuff happening in the background."
Organizations also need to assess the risk on the service provider's end, and demand segregation of duties and that no one person has root access to your data, for example. Otherwise, a malicious insider would have too much access and power to view and abuse data.
Cloud users also have to be aware of vulnerabilities in shared technologies, such as virtual machines, communications systems or key management technologies. A zero-day attack could quickly spread across a public cloud and expose all data within it, Whitener said.
Account service and traffic hijacking is another issue that cloud users need to be aware of. These threats range from man-in-the-middle attacks, to phishing and spam campaigns, to denial-of-service attacks.
The CSA suggests that organizations be aware of technologies that aggregate data such as credit card numbers and other personal, sensitive customer and employee information to simplify management of that data. Any vulnerabilities in those systems could lead to data loss and compliance violations that could lead to expensive notification mandates and repairs to systems.
Finally, the CSA cautions organizations to be aware of their providers' risk profile. Some providers will say their cloud services are not PCI compliant for example, and yet some users will put sensitive personal or customer records into the cloud and expose it to attack.
Whitener said companies cannot jump into the cloud without a proper risk assessment. The CSA recommends starting with non-sensitive data, and carefully evaluate a service-level agreement; be aware of which are general purpose services, and which make some statements about security and what can be expected.
"There are plenty of motivations for startups and ordinary businesses to use the cloud. Four out of five use the cloud because they don't have to go to their VC and ask for startup money for IT," Whitener said. "There's a lot of power in the cloud, and with that power comes the ability to quickly get lost. Limit your risk profile so that it makes the most sense for your organization."