Crummy cloud computing SLAs, assuming cloud computing is bad and you’ll lose all control in moving to the cloud, are among the mistakes companies should avoid making in cloud security, a security consultant said Wednesday at Cornerstones of Trust 2011.
Eugene Schultz, chief technology officer at Emagined Security, a consulting firm based in San Carlos, Calif., ticked off a list of cloud mistakes at the one-day security conference held in Foster City, Calif. The annual event is co-hosted by the Information Systems Security Association's Silicon Valley and San Francisco chapters and San Francisco Bay Area InfraGard.
There isn’t yet a long list of lessons learned in cloud computing to draw on, Schulz said, but his firm has seen some mistakes companies are making. One of those is superficial handling of service-level agreements (SLAs) with their cloud providers.
“To get the risk controls you want, you need to embed controls in your SLA,” Schultz said. “All these things need to be spelled out.”
For example, if the SLA includes intrusion detection, there should be details about the frequency of alerts and level of monitoring, he said. SLAs should also include provisions for audits to ensure adequate monitoring of the cloud vendor, he said.
Another mistake companies should avoid making is overestimating a cloud provider’s ability to provide data security, Schultz said. The only remedy, he advised, is the SLA and provisions for data protection and providing the customer with compensation for lost data.
However, one of the worst mistakes enterprises can make is assuming the cloud is bad, Schultz said. While cloud computing is justly criticized as immature, some providers have emerged as leaders, and providers that are bad go out of business. “Look at your own IT organization. IT organizations never work as well as they should,” he said. “You might be able to find a provider that does IT operations better.”
Companies also shouldn’t assume that moving to the cloud will make security worse, Schultz said.”Some cloud service providers deliver information security risk management services better than we have in the past,” he said.
At the same time, organizations shouldn’t expect to lose all control to mitigate risk in moving to the cloud, he said. “You need to view the cloud environment as an extension of your internal IT infrastructure. … There are still many controls you can implement, such as provisioning.”
Other mistakes companies should avoid in cloud security, according to Schultz:
- Underestimating the legal issues associated with the cloud.
- Assuming the transition to the cloud will be easy. For example, if a company uses certificate-based authentication, it might find out its cloud provider doesn’t support that, he said.
- Overlooking federated identity authentication. Schultz recommended companies strongly consider strengthening cloud authentication and authorization by using a federated identity provider.
- Ignoring cloud-related incident response issues.
“Whether you like it or not, you’ll be a cloud player,” Schultz told attendees. “Organizations more and more are dabbling in the cloud.”
After Schultz’s presentation, Justin Drain, data security manager at Fremont Bank, said cloud computing is the wave of the future. “Everyone is looking at ways to save money,” he said. “If I don’t understand the security issues around it [cloud computing], I’m not doing my job.”