SANTA CLARA, Calif.--Tackling cloud security involves educating developers on security, leveraging asset inventories...
and cloud provider due diligence.
Those were among the cloud security best practices offered up during a panel discussion held here Wednesday at Cloud Expo 2011. The panel featured five members of the Cloud Network of Women (CloudNOW), a nonprofit consortium of leading women in cloud computing, who discussed a variety of cloud computing security issues and challenges.
The ease and convenience of the cloud opens the door to increased security problems, said Kristin Lovejoy, vice president of information technology risk for IBM. “It’s unbelievably easy to spin up a new image, and the people who are doing it aren’t necessarily security experts, but [rather] developers,” she said. Within seven minutes, the image can be compromised, she added.
“The issue with cloud is the easier we’ve made it for people to innovate, the easier we’ve made it to be compromised,” Lovejoy said.
The most common attack Lovejoy’s seen against cloud resources target SSH. “Developers will use weak passwords and associate them with the image,” she said, noting that these types of attacks aren’t unique to cloud environments.
“Those developing cloud applications need to be aware of that risk,” said Lovejoy, who sees developer education as a top cloud security challenge.
Migrating data to the cloud can provide an opportunity for companies to make security improvements, said Jamie Dos Santos, president and CEO of Terremark Federal Group. “It’s a good opportunity to clean up your act,” she said.
Jill Tummler Singer, CIO for the National Reconnaissance Office (NRO), a Department of Defense agency, agreed.
“As you move to a cloud environment, it’s a good opportunity to go through an asset inventory,” she said. “You will find applications that have little utilization. You’ll also find applications that have security gaps and holes. It’ll give you the chance to plug holes before moving to the cloud.”
Singer and other panelists also stressed the importance of due diligence in order to vet cloud provider security. For data privacy and compliance, customers need to know where their cloud provider and data is located, they said.
Lovejoy said cloud customers need to find out what notification the provider will offer in the event of a breach, and whether it’s conducting any monitoring. “Make sure you understand what they’re offering,” she advised.
“When a provider offers security services, please take them,” Lovejoy said. “There’s this assumption that these are happening automatically.”
Panelists also noted limitations of security technologies when it comes to cloud computing. “The technologies we built haven’t necessarily evolved so they’re robust enough to manage the cloud infrastructure,” Lovejoy said. For example, most companies don’t have an agent-based tool that will alert them to configuration drift of an image in their cloud environment, she said.
“There’s still no consistent security platform that can be applied” to cloud environments, Lovejoy said.
Encryption is critical for data protection in the cloud, but we don’t yet have encryption and key management that can keep up with the volume of cloud data, Singer said. “Data privacy issues will drive that to scale,” she said.