One of the main cloud computing security issues often not discussed is that administrators need to keep ports open (e.g., SSH or RDP) so they can connect to and manage their servers. With these ports open, anyone – including hackers – can gain control simply by guessing (or brute forcing) the administrator credentials.
According to a recent report by the Ponemon Institute titled "Managing Firewall Risks in the Cloud," 54 percent of IT personnel say they have no knowledge of the risk of open firewall ports on cloud servers. IT folks admit they just don't yet fully understand the dynamics of cloud infrastructure and its risk. They know that traditional, on-premise security fails to cover virtual and cloud environments. And they know that there really isn't a robust security toolset available from cloud providers. In fact, the cloud has grown so quickly that what's available from cloud providers is often limited, complex and manually operated, and is – of course – isolated to each provider's cloud.
It's not surprising there's a general lack of knowledge and confusion. If you think about the traditional data center, every server is behind the corporate perimeter (and firewall). So, if an administrator leaves SSH open on a server there, it's not a great risk. (This is like leaving your car unlocked in your locked garage.) When that same server is moved to the cloud, it's outside that corporate perimeter/firewall, and keeping those ports open now introduces an abundance of risk. (This is like leaving your car unlocked in a public parking lot.)
According to the Ponemon Institute study on cloud security, 39 percent of IT security personnel said that they thought the cloud provider would inform them if their cloud servers were hacked. We call these folks “wishful thinkers.” Perhaps even more concerning, 42 percent said they wouldn't know if their cloud server was hacked, and of those that know, 19 percent said they already have been. So clearly there's a big gap in cloud security, a misconception of who's responsible, and this issue is the top inhibitor to customer adoption. It all adds up to one thing: Service providers need to offer more security services to their customers.
By offering security services (i.e., those that the customer can opt-in, deploy and self-manage), providers will address the security issue head-on without eating into their margin or taking responsibility themselves. In fact, by making services such as encryption, firewalling and identity management available as a premium add-on, providers will increase their margins, differentiate their services and accelerate cloud adoption.
What enterprises need from their providers is the ability to centralize automated firewall management across all their servers and clouds. Automation makes security as elastic as the cloud infrastructure, and centralization eliminates gaps in security and processes and makes security administrators' lives much easier. This holds true for anyone who has a hosted, dedicated or virtual private server.
As a technologist, it's terrific to see cloud computing grow so rapidly. As a security guy, it's concerning to see that this explosive growth has come at a sacrifice to security. I've talked with a lot of security folks, and they tell me they're struggling to catch up with the developers and infrastructure teams which are quickly migrating their enterprises to the cloud. New solutions are needed to help them catch up, approaches that give cloud providers the tools to protect their customers.