The cloud offers reliability, cost savings and convenience, but protecting it requires modern-day defenses, reports Jim Romeo.
Some 75 million people use the online cloud-based service Evernote to store everything from notes, photos, clips and personal data. But, the convenience clients had become accustomed to when using this site was disturbed in early 2013. That's when the company required all 50 million of its users to reset their passwords after an intrusion – described as the beginning of a sophisticated attack – was discovered. Fortunately, a major breach was averted.
This is just one illustration of how cloud computing – after a few years of evolution and widespread acceptance – remains a vulnerable terrain for security risk. In fact, Alert Logic's “State of Cloud Security Report” found that web application attacks remain the most significant threat for cloud-hosting provider environments, with 52 percent of customers impacted. The study examined 45,000 security events at more than 1,800 organizations over a six-month period.
“Overall, cloud security is essentially in its adolescence,” says Kevin O'Brien, enterprise solution architect at CloudLock, a Waltham, Mass.-based cloud data security company. The field is beginning to show signs of maturity, but not universally, he says. “There are awkward moments to be worked through as CSOs and CIOs increasingly implement solutions that transition away from legacy on-premise data management strategies,” he says.
Over the past decade, he points out, layered security, often referred to as defense-in-depth, has evolved as a central theme of risk mitigation. By ensuring that no single point of failure can result in the loss of sensitive data or inappropriate access, security professionals can account for the eventual breakdown of individual components in their strategic defense plans. If the firewall fails, for example, there are redundant backups and the information stored behind those firewalls is tightly controlled to prevent even inadvertent open access allowing a complete data loss.
O'Brien says the concept of defense-in-depth remains sound, but its implementation is significantly complicated by a shift toward externalized servers and resources. Defense-in-depth, of course, has always called for a focus on various facets of security. One key is data protection and access controls for customers, as well as other end-users who employ the services of companies which operate in the cloud. This trend has intensified the security focus of many of those who use and provide cloud computing.
“Reliability and security continue to be significant concerns for cloud customers, particularly in light of any major outage or data loss that makes its way into media headlines,” says Dave Frymier, CISO at Unisys, a global information technology company based in Blue Bell, Penn. But, while the risks remain the same, the good news, he says, is that technologies that address these risks have evolved over the past year or two. “In the best implementations, authorization is performed within the customer's enterprise data centers, so the customer retains control of encryption keys,” says Frymier.
Customer computing habits are changing as well. Today's end-users are virtual, continually on the go and expecting anytime-access. Hormazd Romer, senior director of product marketing at Accellion, a Palo Alto, Calif.-based company that provides mobile file-sharing solutions, says there are two areas that have changed over the past year or two. The first, he says, is that with the explosion of tablets and smartphones, the risk of data leakage from mobile content sharing has increased. The second trend he sees is the increasing sophistication of hackers. “With each passing year, hackers get more advanced, and thus have more opportunities to disrupt online activities,” Romer says. “Security departments need to be vigilant against these kinds of attacks and risks.”
Most observers expect a set of standards to be forthcoming as cloud computing matures. This will help align the supply chain of cloud computing with the growing volume of end-users. “Both cloud technology and security within the cloud are still maturing and will take some time to become steady state,” says Len Whitten, director of cloud services product management at SunGard Availability Services, a Wayne, Penn.-based provider of IT availability and business continuity. Most industry experts agree it will take a few years to see official standards and controls as they relate to cloud, he says. Meanwhile, executives need to look at the generally accepted controls for security and risk management, as well as the processes involved, and determine what best fits their security needs. Many companies look today to the standards established – and continually modified – by the Cloud Security Alliance (CSA). Although the group is not designated as a standards body, it is the authority that most look to for cloud security guidance, Whitten says. In particular, he says the CSA's governance, risk and control questionnaire addresses a number of primary cloud concerns.