Cloud architectures aren’t secure. That’s one takeaway I got from Bob Violino's piece for Computerworld: "Cloud SWAT teams". It outlines a security incident response approach we recommend on a regular basis, in fact you'll find us saying the same thing to Computerworld Australia last year in "Sony needs an incident response team". Now, nobody requires cloud services to be secure. There aren’t any government regulations - no laws that require Amazon, who recently had several security vulnerabilities found and fixed, and others to prove adequate levels of security. It has been pretty much down to users to define; although credit where credit is due the providers in this space do recognize a need and are moving forward.
The users, companies reliant on secure IT practices and answering to their customers, regulators and the business have had years to refine their security architectures and comply with SOX, PCI, HIPAA and other strict mandates. Cloud services, on the other hand, are relatively immature, untested and unregulated. They’re vulnerable to the kinds of hacking that traditional IT environments experience. Identity theft, for example.
Try searching for “hacking passwords” on YouTube. At last count, there were 18,400 results, including full-blown tutorials about automated, software-driven password discovery. Some of these videos will tell you how to use deductive reasoning to figure out which relative’s or dog’s name someone is using. It’s human nature to choose weak passwords. It’s also human nature to use those same weak passwords for multiple sites. And yet if someone figures out a weak password for one site, they might gain access to a mother lode of confidential information on another. What’s scary is, even IT pros make this mistake. A recent Harris Interactive survey found that 61 percent of IT decision makers use the same username/password for more than 3 personal accounts.
All of which is my long-winded way of saying that if your cloud service architecture isn't as good as your everyday corporate data center security, there could be trouble ahead.
Keeping with user passwords and access management. You can use the same access management safeguards in a public cloud that you use in your corporate environment - and enjoy the same level of security; leveraging your existing identity infrastructure to access all
your cloud applications and get consistent compliance tracking. With appropriate Cloud Security Service, employees can access the cloud using the same username and password that they use within the company; IT can maintain the same logging and tracking capabilities, and makes sure that the right policies are in force per user.
Amazon took some heat late last year. But, I sense things are about to get interesting. Public cloud adoption is growing - look at Apple's iCloud service for example. Somebody will hack in and steal some highly confidential information from a well-known corporation, again, soon. But who'll be liable: the cloud service provider, the user who was storing the information, or the corporation?
Jan 09 2012, 11:19 AM
Filed under: PCI DSS, NetIQ, Cloud Computing, Compliance, Computerworld, HIPAA, cloud security, SOX, Identity Theft, Public Cloud, Sony, Novell, Harris Interactive, Bob Violino, Amazon Web Services, Cloud Security Services, Access Management, RichardWhitehead, Security Web