Tag Archives: risk

Where Are My Bits?

Leave a reply

NO DOUBT ABOUT IT – there is a sea change happening as individuals and companies slowly grasp the upside of cloud computing. But I still get challenged at conferences: “What about the security risk? I have to know that my bits are safe. How do I know these service providers are not going to mine my data and exploit all my information?”

The short answer is that you don’t – no one does. But then again – where are my bits, and where are your bits? In general, we don’t have a clue. Everything from our banking details, passport, national insurance, tax, medical records are stored somewhere, but we don’t know where. And do we care? We don’t give it a thought. Perhaps we should – bankers have proven to be less than honest and many of our institutions seem to excel in losing memory sticks, hard drives and laptops with our private info.

My worst nightmare is that the companies and institutions storing my data have been foolish enough to assign it to one drive, drive set, rack or floor in a single physical location. If they have, they are naive in the extreme, and are putting me at risk along with everyone else.

Perhaps the most paranoid objection voiced goes like this: “I don’t want anyone else’s data on my hard drive.” Such a strong sentiment reflects a lack of understanding that is really worrisome, especially when some of the protagonists are employed in IT departments.

Personally, I hope my bits are mixed in with thousands of others and spread all over the planet on multiple drives backed up in multiple locations. Such a scenario is more secure, and it can be rendered extreme by variable encryption. How come? If someone steals a file, and manages to crack the layered encryption, that person will only have partial documents.

The best the thieves can hope for is a mere glimpse of the full picture. To get to the real meat, they need the context, which is spread across an impossibly large number of drives and locations. This may be an impossible nut to crack with today’s technology.

Like it or not, cloud computing is not going away anytime soon. It is going to grow, and as it does, it will become increasingly secure. Our data will become safer, and all the more so as it becomes more dispersed. And yet, I hear sensible people demanding that their in-house data has to be held on a company server, in a company building, on company soil, always to be under the company eye and control.

Why do people think this way? Perhaps it is just habit, or more about the illusion of control. Such thinking is delusional – none of us can control our own data, let alone that of our companies. The internet, servers and service providers are leaky buckets with data seeping out and in. The good news is that it is unpredictable and difficult to read. The real problem is one of trust and reputation. Who do you trust? Your bank, ISP, Google, HP, Apple or IBM ?

You might want to contemplate running with several providers simultaneously – that way, you can control some of the dispersement and add another layer of security. Reliability, resilience and security seldom come cheap but it is vital to spread data across the internet in a parsed format. But do we do it ourselves, or do we let others do it for us? I prefer the latter course, through a trusted intermediary.

To me, this is no different to keeping money under my mattress, using a bank, or carrying cash. It all about resource management and using service industries that organise bits on our behalf while saving us time and money.

Paradoxically, the last people to figure all this out might be those CIOs and IT departments stuck in business and operating modes cast in the 1960s. The cloud is coming and there are great advantages to be had – but we have to accept the challenge of change.

Author: Peter Cochrane
Source

Secure Your Virtual Environment

Leave a reply

Security exists to protect the tangible things in life. If something is deemed special enough to be protected, we do so with highly visible declarations of security. Deadbolts on doors are large and comforting; alarm systems used to protect buildings are there for all to see; seatbelts in cars tell the world that we are taking our safety seriously.

While protecting homes and possessions is simple human behaviour, there are important aspects of day-to-day life which sadly go unprotected – especially in business. This is down in part to the rapid technological revolution that businesses have been privy to over the past few decades.

Fifty years ago important documents could simply be kept under lock and key in a secure file room – but in this decade of technological advancement, important documents no longer exist in their paper form alone.

Emails, computers and IT systems became commonplace in a very short amount of time, leaving storage and security struggling to keep pace. Inevitably, as the volume of this data grew, space became an issue.

This is where virtualization really came to the fore. Virtual storage allows companies to store far greater volumes of information without investing in expensive, space-sapping servers. It appeared to offer the perfect solution, and prompted a boom in popularity.

Indeed, a study by leading analyst Gartner charts the rise and rise of virtualization, predicting that approximately half of all x86 architecture server workloads will be virtualized by the end of 2012.

But while virtualization has grown in popularity, securing virtual environments has lagged behind. While companies have been fast to virtualize, they have been slow to secure and, contrary to popular belief, this is not down to a lack of threat.

Security threats in the virtual space – particularly from malware – are greater than ever before.

There is a common perception that virtual machines are more secure than physical ones, but this is little more than a myth. In fact, virtual systems are just as vulnerable to malware in the form of malicious email attachments, drive-by-downloads, botnet Trojans and even targeted ‘spear-fishing’ attacks.

The same Gartner study found that in 2012, two thirds of virtualized servers will be less secure than the physical servers they replace. This is even more disconcerting when Kaspersky’s own Global Virtualisation B2B study also found that 81 per cent per cent of services launched in virtual environments are business critical.

Sadly, many businesses are guilty of undercutting the inherent benefits of virtualization when they fail to properly implement anti-malware solutions to protect from data loss and cybercrime. Technology has revolutionised business, but it is only possible to reap the rewards if sensitive data is adequately secured and protected.

Choosing the right type of virtualization security is almost as important as deciding to secure your virtual environment in the first place. For starters, it’s a fact that some anti-virus implementations can bog down the virtual infrastructure, reducing consolidation ratios and limiting ROI.

According to the Kaspersky Lab study, 61 per cent of IT professionals cite performance as the most important factor when assessing the effectiveness of virtualization security, so choosing a programme which allows for the smooth running of IT systems is imperative.

Information is like oxygen to a business, so all possible measures should be taken in order to protect it. As well as the risk of theft and public embarrassment, leaving virtual servers unsecured opens your business up to the possibility of a serious and costly data breach.

Investing in virtualization security is business common sense, but it should not be undertaken lightly. Extensive research into your business’ requirements, as well as a thorough assessment of the products on offer, is undoubtedly time well spent. An element of education is also advisable, especially given that Kaspersky Lab found that 41 per cent of IT staff rate their knowledge of virtual environments as ‘basic’.

Virtual environments may not be tangible, but this is not to say that they do not require adequate security and protection. Putting the locks and bolts onto your virtual servers is just as easy as fastening a seatbelt, providing you have the necessary expertise in your armoury.

Author: Peter Beardmore
Source

Days Of Authoritarian IT Departments Are Over

Leave a reply

Today, it is no longer a question of when IT will align with business leaders, but how. That is the conclusion of a new report from Forrester Research, which describes the policies and procedures for implementing cloud computing in the corporate environment.

These are required, according to Forrester, because the traditional model of IT management under the rigid control of the IT department has now become restrictive and outdated. Business managers want the power to rapidly procure and provision the technology they need, unhindered by the diktats of an “authoritarian” IT department, say the firm’s analysts.

“Underlying this new model of business and IT is a shift away from rules – IT specifying exactly what and how all technologies are adopted and applied to overcome business problems – to one of business working within a series of ‘guard rails’ that provide softer guidance on how best to select, choose, and consume cloud services,” writes Forrester analyst James Staten in the report.

IT will maintain its strict rules for the technologies that matter at the core of the business, but will “bend” to enable the introduction of new private and public cloud technology. That will give the business executives that need it the greater autonomy that they seek.

There are three essential elements to this new approach, argues Forrester:

1. Create policies and rules based on what matters and where;
2. Revise lines of accountability and share responsibility in alignment with the policies and new rules;
3. Coach, collaborate and inspect to make sure that the new approach is effective and respected.

The rules for different applications will be grouped into “zones” based on risk – hence, rules governing the use of Plaxo or Linkedin will be very much less prescriptive than rules for using Salesforce.com. These zones will be based on:

1. Business opportunity;
2. Business impact and risk;
3. Technology complexity and risk.

Clarity on accountability and responsibility will bring the right level of control, believes Staten.

He says that businesses need to start today in order not to be left behind in the unfolding revolution over the next decade.

“Technology may be pervasive, and business execs know that, but to them, the IT organization is a drag on time-to-market and closed to their new ideas. But because technology is pervasive, your business will want to use it to succeed in a market of empowered customers, globalized competition and pricier resources,” writes Staten.

“You want to help them succeed at this, and that means empowering them with greater ability to execute on their own, but to do so safely for the overall enterprise,” he concludes.

Author: Graeme Burton
Source

The CIO Versus Users Who Buy Their Own IT

Leave a reply

The CIO as we understand the role is under threat from Cloud Computing and ICT professionals need to start getting smart about their function.

That was the stark warning from Oracle, a company whose conversion to the Cloud has taken time to go public. While once dismissed by CEO Larry Ellison as “just water vapour”, Cloud is now firmly on the Oracle road map as a top priority.

Hence the appearance of John Abel, chief architect for Oracle, at the firm’s Cloud Conference in London this week where he told delegates that they had to get closer to the business side of the organisation – and at an earlier stage in order to stop non-techies from procuring their own ICT services.

Such ‘land and expand’ strategies have been commonplace in private sector Cloud Computing where departmental heads in, for example, sales have grown tired of waiting for an official ICT department roll out of new functionality and instead subscribed to Salesforce.com off their own backs.

“CIOs need to make sure that they are part of the business conversation early on. For the first time, thanks to Cloud Computing, the business is able to sub-navigate IT,” warned Abel. “Project control is becoming increasingly important for CIOs, because now the business thinks that it doesn’t need IT and it can go and procure its own IT capabilities with SaaS.

“The business person of the future is the same person that will be used to using Facebook and Twitter. They will be used to instant access, they want IT now,” he added. “That’s the challenge that IT has with Cloud, because if IT can’t give the business that instant capability, they will go and get it from somewhere else.”

This isn’t necessarily a threat though, he argued as it gives the ICT Professional a new form of engagement with the organisation. “A good CIO will use this as an opportunity, whereas CIOs that are more conservative, or more risk adverse, will see it as a threat,” he said. “The IT department can capture this problem early and initiate discussions with the business.

“They will work with the business to understand what direction they are moving in, to understand how the IT capability and Cloud can be used to get it there. If they haven’t had that conversation and captured those requirements early, they will be in trouble.”

Author: Stuart Lauchlan
Source

A Structured Approach To Cloud Security

2 Replies

The term “cloud” has been turned into a marketing platform by many suppliers and this has obscured what it really is – a way to procure and deliver IT services. The cloud covers a wide spectrum of services and delivery models. The common security concerns are ensuring the confidentiality, integrity and availability of the services and data delivered through a cloud environment.

Cloud computing makes people uneasy. The perceived lack of ownership and control has a tendency to cause an almost instinctive sense of vulnerability, but Simon Salmon, CSA UK and Ireland Chapter member, questions if this is justified.

He says the answer depends on the circumstances, since cloud solutions can be as secure or insecure as any other IT implementation. Many of the issues an organisation should be considering regarding cloud computing relate equally to traditional IT implementations.

Understand the value of your data in the cloud

One pressing question surrounds what happens to a customer’s data when stored and/or processed in the cloud. Should things go wrong, what mechanisms are available for reporting issues and tracking them? Is the SLA acceptable for your business? Peter Wenham, committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management, urges chief information security officers (CISOs) to understand the type and value of the data your organisation wants to put into the cloud. So businesses need to consider whether the data is public, company internal, company sensitive or personal information (personal data includes employee National Insurance number, medical information, credit card or bank details).

Once you know what type and value of data you are dealing with, you can identify any regulations and/or industry rules that might apply, such as the Data Protection Act (personal data), Payment Card Industry (PCI, credit card information), says Wenham.

Knowing the value of data and the applicable rules and regulations leads to an understanding of what needs to be done to ensure compliance. From this understanding, the terms and conditions of various cloud-based services can be reviewed and informed decisions taken. For instance, if the cloud service provider is unable or unwilling to legally commit to keeping data at all times within the EU (or EU-acceptable safe harbour), then personal data should not be stored or processed in the cloud.

Evaluate the risk of cloud data-loss

CISOs must also evaluate a cloud provider’s guarantee that data cannot be lost, as data loss has happened in the past.

He says the service level on offer may not be sufficient. Remember that a 99.5% availability means in any 12 month period the cloud service could be off air for a total of nearly two days, and don’t forget your local internet connection and your internet service. The cloud provider can only commit to an SLA for their service and not for the whole internet or your connection to it. Wenham urges business leaders determine how well the supplier’s definition of service availability matches their own requirements.

And when things go wrong, the CISO must examine the mechanisms available for reporting issues and tracking them. Wenham says: “Remember that many cloud providers will only accept problem reports by e-mail and then only from one named/identified person (usually the account holder) and this could impact service restore time.”

Match cloud security measures to data value

Wenham says protecting sensitive information in the cloud requires encrypting the data. If you do encrypt the data, then you would typically only be using the cloud for storage and not processing, as you would need to decrypt the data before you can process it.

He recommends CISOs assess whether the login authentication mechanisms the supplier offers are commensurate with the value of data being stored or processed. For instance, is a user name and password the only mechanism available or are multi-factor mechanisms available? Can password complexity and password expiry be set and can these be managed by the business?

Looking for and choosing a cloud provider that is ISO27001-accredited is to be recommended, but the fact that a vendor has current ISO accreditation does not mean you can ignore other considerations.

Along with data controls, Mike Small. member of London Chapter ISACA Security Advisory Group and senior analyst with KuppingerCole, urges CISOs concentrate on establishing a good framework for governance: As Wenham said earlier, when moving to the cloud it is important business requirements are understood and the cloud service is selected to meet these needs. Small says taking a good governance approach, such as COBIT, is key to safely embracing the cloud and the benefits that it provides.

Beware cloud supplier lock-ins

Small warns CISOs to be wary of supplier lock-ins that can easily occur in the cloud. There are a number of factors that can make changing cloud provider difficult. The ownership of the data held in the cloud may not be clear and return of the data on termination of contract may be costly or slow, Small warns. When data is returned, it may not be in a form that can easily be used or migrated. Cloud services (built using cloud platforms, PaaS in particular) may be based on a proprietary architecture and interfaces making it very difficult to migrate to another provider. The risks of building business services based on a proprietary technical architecture are high and technical standards should be adopted where possible. Ensure ownership of data is clear and the terms for its return on termination of contract are acceptable.

For Simon Salmon, CSA UK and Ireland Chapter member, the question remains of whether businesses are being over-cautious when it comes to cloud security.

He says: “At the least, cloud-based systems should prompt everyone to think through far more carefully what their security requirements are across the whole supply chain. Given that, and also that cloud services have been developed with security in mind, it is possible the information security may actually improve.”

There will be cloud security breaches, but businesses have experienced security breaches that are not related to cloud computing. When working with a cloud provider, it is possible to ensure your exposure to risk does not increase.

“However if you currently don’t consider security issues, you may struggle in the cloud!” says Salmon.

Author: Warwick Ashford
Source

Overcoming Doubts About Cloud Computing

Leave a reply

Cloud Computing, which allows oganisations to share resources, software and applications, can bring radical change to public sector ICT services. Using the cloud will reduce costs and risks and bring scalability, and resilience. But many top managers believe the risks are too great. The author looks at the reality of Cloud Computing.

It seems that board-level executives are not as keen as their IT professionals on the adoption of Cloud computing according to no less than three new reports. The reports from heavyweights Dell, IBM and Symantec report varying levels of fear, uncertainty and doubt about Cloud adoption. This is a little surprising given the importance CEOs and boards always purport to give to efficiency and cost reductions – two of the undoubted benefits of cloud computing.

In a recent Dell survey 223 IT professionals at this year’s Cloud Expo were asked about their companies’ attitudes to cloud computing. The survey showed up the differences between how business leaders view the cloud and how IT professionals view it.

The IT professionals reported that business leaders were more likely than themselves to describe the cloud as either having “immense potential” or being a “passing fad.” According to Dell “the survey data validates a perceived lingering disconnect in expectations between IT professionals and senior business executives.”

The second report, Symantec’s 2011 Virtualisation and Evolution to The Cloud, points out that over 75 percent of C-Level executives cite reliability, security and performance as their main concerns about virtualization and hybrid-cloud deployment. These numbers stand in contrast to responses from IT professionals, who report that after cloud adoption, these areas all scored quite well compared to their goals.

The third report, IBM’s, 2011 Global CIO Study, devotes an entire section to a survey of 622 midmarket CIOs and highlights the obstacles that IT departments face depending on their business needs and goals. The report highlights that no one single solution for cloud adoption is going to work across the board.

Presenting the benefits of cloud computing realistically

What this shows is that CIOs are still not effectively communicating the business benefits of Cloud computing to their bosses. What all three surveys show is that good communications between IT and C-level management is critical for any business looking into cloud adoption, the hybrid cloud, or even just increased virtualization. It is obvious that major areas of concern like security and reliability, initialization costs and long-term investment is not being explained properly to the Board.

CIOs and IT managers must be careful not to over-sell the cloud and promise results that are impossible. The Symantec report showed a chasm between expectations and reality in the area of scalability, something a cloud solution excels at. This obviously means that many C-level executives were over-sold or were simply never brought down to reality of the cloud’s ability. Other areas where businesses felt that the cloud fell short were in reducing operating expenses and reducing complexity. These types of failures make it less likely that management will approve future cloud initiatives. When discussing IT solutions, IT professional should be sure they are discussing the current cloud, instead of an idealized hypothesis of what it may one day become.

Symantec report says that security is the major worry of most CEOs cited by 77% of them. This is followed by concern about reliability – 71% and performance, also worried about by 71% of CEOs. This is not entirely surprising given the huge media exposure given to data breaches such as the ones Sony, RSA Security Sega and many others. What is surprising is that CIOs are not explaining that the breaches are not necessarily due to Cloud Computing and could have and may have occurred using in-house managed systems.

Why is the message not getting through?

So why aren’t their IT people putting them right on all this? Maybe they are, but aren’t being listened to. Maybe they are, but they can’t convey the message in the language that the board can understand. Whichever is true, it’s clear that better communication is needed between wary CEOs and their IT managers.

However, Cloud Computing is at least high up on the agenda – with up to 90% of organisations stating that they are least discussing Cloud projects. But among some of those who said they had installed Cloud Computing in some form, the curse of bad communications hit them again – over-inflated expectations led many to complain that the actual implementation of Cloud did not come up to their expectations. That can only be blamed on the CTOS.

Symantec created its own check list of recommendations to make Cloud adoption as smooth as possible:

• Ensure alignment between IT and executives in virtualization and cloud initiatives: It is important to show that you can address C-level concerns such as security and availability.

• Don’t operate in a silo when it comes to Cloud Computing: virtualisation and Cloud initiatives are most successful when implemented as mainstream, comprehensive IT initiatives.

• Leverage and modernize your existing infrastructure: Before you’re ready to implement hybrid/private cloud, make sure you are leveraging the existing infrastructure to achieve the same efficiencies and then modernising it as needed.

• Set realistic expectations and track your results: Remember that despite the hype, Cloud is a new and still maturing market. Do your homework to set expectations that are realistic, then follow up and track results to identify ways to improve project efficiency going forward.

Moving many IT services into the cloud is quickly becoming a requirement for organisations. It doesn’t seem to matter what the organisation is – from industrial applications to making food, it can benefit from scalable storage and powerful virtualized business intelligence. Businesses that fail to take advantage of these solutions risk losing a huge edge to competitors who do take advantage of the cloud. IT professionals should see it as their responsibility to convince management to adopt cloud solutions for their businesses but they have to be careful to set realistic expectations or they will set their companies back many years and risk the mistrust of their boards for many years.

Source

Gartner: Virtualisation and cloud computing race ahead of security practices

1 Reply

The rush toward virtualisation of internal enterprise computing resources and cloud computing can have many advantages, such as server consolidation, but it’s largely outracing traditional security and identity management practices.

That’s leaving huge gaps, a sense of chaos and questions about where security products and services should be applied in the world of multi-vendor virtual-machine (VM) hypervisors.

“Virtualisation will radically change how you secure and manage your computing environment,” Gartner analyst Neil MacDonald said this week at a Gartner Security and Risk Management Summit in the US. “Workloads are more mobile, and more difficult to secure. It breaks the security policies tied to physical location. We need security policies independent of network topology.”

Gartner estimates almost half of x86-based server workloads are virtualised today, with VMware the clear market leader, but with Microsoft Hyper-V on the rise and Citrix a contender. Gartner advocates that enterprises plan to move to a private-cloud architecture. But at the same time, the consultancy acknowledged management tools and security really haven’t risen to meet the occasion.

“The hypervisor will be less secure than the physical systems they replace,” MacDonald said. “The integrity of that bottom layer is paramount. The hypervisor layer you don’t want compromised.”

Today there’s often a “lack of visibility and controls on internal VM-to-VM communications,” said MacDonald. “Should VM No. 1 be talking to VM No. 3? How do you know they’re not attacking? The traffic never comes out onto our physical network.” Some companies are willing to live with this uncertainty, others not, MacDonald said.

But it’s questions such as these that demand to be addressed to find out what options exist to tackle virtualisation and cloud security. In MacDonald’s view, there needs to be a wide range of security controls in the VM, such as virtual firewalls, intrusion-prevention systems and antivirus, in addition to load balancers and traffic shapers.

Increasingly, vendors such as Altor, Cisco, Juniper, IBM, Hytrust, HP, Enterasys, McAfee, Catbird, StillSecure, Sourcefire, Reflex Systems and StoneSoft are offering virtual-appliance options for firewalling, monitoring and intrusion-prevention, for example. For the VMware platform, “Check Point has gotten furthest along,” said MacDonald. “After a slow start, finally the big security vendors are making progress on their virtual-security controls.”

VMware has provided VMSafe APIs to facilitate hypervisor-based “introspection” so that multiple software agents are no longer required. The need to deploy and run agent software has traditionally “been the bane of our existence,” MacDonald acknowledged. But there are still a lot of questions about exactly how this works.

Trend Micro, seen as the No. 3 player in antivirus behind Symantec and McAfee, has been the fastest to embrace some of VMware’s ideas on this, including support for VMware’s latest security APIs, vShield in its Deep Security product that can perform A/V scanning for vSphere. Trend Micro has been charging less for VM-based A/V software, perhaps figuring “it has nothing to lose,” MacDonald said.

The downside of the Trend Micro Deep Security approach with vShield, though, is that “stub code” for VMware is still needed to make it work and a hypervisor extension, plus it’s for Windows only and it quarantines but does not remove malware infection; it only does anti-malware scanning, MacDonald said. And the possible drawback with vShield, which has the software taking on the role of firewall, is that it’s so specific to VMware vSphere, customers will end up with “another silo.”

The transition to more virtualisation-focused software-based security controls, though now filled with uncertainties, is still expected to occur, and though only deployed “in the single digits today,” by 2015, Gartner predicts 40% of security controls, such as antivirus, will be virtualised. This will happen, MacDonald added, despite the fact that vendors such as Cisco and Juniper have been dragging their feet because they like to sell “overpriced physical hardware.”

At this point, the main idea is to “treat the virtualisation platform as the most important IT platform in your data centre, from a security and management perspective,” MacDonald said.

For those responsible for the identity management arena in the cloud, however, the situation appears to be particularly challenging.

“Until about two years ago, we were talking about how to do identity management internally,” said Gartner analyst Gregg Kreizman. “Now, it’s about how do we get our arms around the SaaS [software-as-a-service] problem? Or we used to manage the applications but now they’re in the cloud” … so it’s leading to a never-before-asked question, “How about if we have our identities there?”

This is the cloud relative to the on-premises systems of yore, Kreizman said, and with SaaS providers using different interfaces, there’s now a growing “interface risk” of a wider attack surface, plus more people potentially with their hands on the data. Google “is not very upfront about their security practices,” Kreizman said. “Salesforce is a little bit better.”

“Unfortunately, the default way to get identity information into a SaaS is to administer directly,” said Kreizman. “A FTP or a Dropbox might be involved.” Dropbox is a service that has suffered several security failures, including one this week involving a password-management problem that left user information exposed.

Companies today wanting to extend their corporate identity management systems to the cloud can seek to extend corporate identity-management systems, such as those from CA (which acquired Arcot Systems) or IBM, to specific cloud providers, if it’s supported, in a hybrid arrangement. In addition, Exostar and Covisint fall into a realm now called a “community federation hub” to serve specific types of groups, in this case mainly aerospace, defense, auto manufacturing and healthcare. “It’s a collection of users willing to pay for identity services under established federations and SaaS providers,” Kreizman said.

There’s a stampede of new choices racing into the identity-management market to hook up to the cloud, creating a “volatile market” and even “kind of a Wild West here,” said Kreizman.

Among the players are Okta, Clavid, Symplified, Onelogin, Ping Identity (which also offers stand-alone federation software) and Nordic Edge (acquired by Intel). Some traditional identity and access management vendors, including Fisher International, idEntropy, Novell and Lighthouse, are selling packages and services for the benefit of cloud providers and customers.

VMware last August acquired TriCipher with the expectation of giving customer easier controls for SaaS in the future. And RSA technologies are expected to be leveraged in the cloud-trust authentication system that’s expected to go into beta soon.

Although identity and access management as a service is still new, Gartner expects this could grow enormously in just a few years, from about 5% of identity and access management sales to as much as 20% by the end of 2012.

Source

Three Major Risks of Cloud Computing

1 Reply

IT professionals looking to place data in the Cloud should be aware of three major risks, including data leakage, the loss of visibility or control of the data, and unauthorised access to data, according to global services firm Ernst and Young.

The firm’s senior manager, Pieter Danhieux, told attendees of IDC’s Cloud for Business Conference 2011 that while Cloud service providers are often talking about scalability, availability, cost reductions, efficiency and effectiveness, they had not addressed Cloud security as a business enabler.

According to Danhieux, data leakage is of the biggest concern for IT managers and CIOs, as Cloud often uses virtualisation, entailing hypervisors and virtual systems.

“One of the risks that exist here is you want to remove some data you’re your system because it might not be relevant anymore, you send a command through the hypervisor to delete it… Anyone with a little bit of IT background knows that if you delete data from a disk it’s not actually deleted, the index to that certain location on the disk is deleted but the actual data is still there,” he said.

“What could happen is, if I’m on the same virtual or on the same physical hardware I could actually ask the hypervisor to give me that piece of hard disk and I can read it, at that moment I’m actually able to read some of the data out of your system.

“The same is true for network interfaces when, for example your assistant communicates around the world with another system, it goes through the hypervisor and to the network interface so all the data is transferred through this network interface.

“What can go wrong is if the permissions on my system on the hypervisor are not correct, I will be able to talk to the network interface and read everything which is going out of that interface.”

Although these attacks are technical, said Danhieux, it has been proven that they work.

“One thing you should ask yourself is whether the virtualisation technology my Cloud service provider is using hasn’t been tested for security and is it secure?”

The second largest risk is losing visibility or control of data, as when using Cloud services, organisations don’t know where the information is being stored or processed.

As a result of this, organisations must ask themselves a number of questions before investing in the Cloud, said Danhieux.

“You need to know when you’re putting data into the Cloud, first of all, am I allowed to store this data outside of Australia?” he said. “Private data and flight information data can not usually be stored outside of the country of origin, you must ask, what are the legal implications?

“Another crucial question is, what if I lose this data? What will be the impact for my business? Will I go bankrupt? Ask yourself this question before you actually consider going into the cloud.”

Thirdly, unauthorised access to data occurs when organisations put data into the Cloud. Despite having an Australian-based Cloud service provider, once the data is in the Cloud, organisations have no idea where it is located.

“When you put data in the Cloud you have poor visibility on where your data is going and China, Russia and Brazil, they are not the countries with the best reputation for taking care of private information,” Danhieux said.

According to Danhieux, when pulling data into the Cloud, companies have no idea where it is actually going which is a big risk.

“Don’t think the data from your company is not valuable to others, because it could be valuable to your competitors, it could be valuable even to other governments,” he said.

“For enterprise, the questions to ask yourself when doing Cloud computing is firstly what type of data are you putting into the Cloud because if it’s data which is irrelevant, you can put it into the Cloud without any security risks, if you’re putting valuable trade secrets into the Cloud then you might question yourself as to whether your Cloud service provider provides the best security control.

“Secondly, you need to know how critical this information is for your organisation or for your government, and you need to ask yourself can I put restrictions on in which countries this data is actually stored.”

Danhieux left attendees with a final thought, noting that the “bad guys” can also use Cloud computing, which can be used to do password hacking faster and much more easily.

Source

5 Overlooked Threats to Cloud Computing

7 Replies

A lack of understanding about security risks is one of the key factors holding back cloud computing.

Report after report after report harps on security as the main speed bump slowing the pace of cloud adoption. But what tends to be overlooked, even by cloud advocates, is that overall security threats are changing as organizations move from physical environments to virtual ones and on to cloud-based ones.

Viruses, malware and phishing are still concerns, but issues like virtual-machine-launched attacks, multi-tenancy risks and hypervisor vulnerabilities will challenge even the most up-to-date security administrator. Here are 5 overlooked threats that could put your cloud computing efforts at risk.

1. DIY Security.
The days of security through obscurity are over. In the past, if you were an anonymous SMB, the threats you worried about were the typical consumer ones: viruses, phishing and, say, Nigerian 419 scams. Hackers didn’t have enough to gain to focus their energy on penetrating your network, and you didn’t have to worry about things like DDoS attacks – those were a service provider problem.

Remember the old New Yorker cartoon: “on the Internet no one knows you’re a dog”? Well, in the cloud, no one knows you’re an SMB.

“Being a small site no longer protects you,” said Marisa S. Viveros, VP of IBM Security Services. “Threats come from everywhere. Being in the U.S. doesn’t mean you’ll only be exposed to U.S.-based attacks. You – and everyone – are threatened from attackers from everywhere, China, Russia, Somalia.”

To a degree, that’s been the case for a while, but even targeted attacks are global now, and if you share an infrastructure with a higher-profile organization, you may also be seen as the beachhead that attackers can use to go after your bigger neighbors.

In other words, the next time China or Russia hacks a major cloud provider, you may end up as collateral damage. What this all adds up to is that in the cloud, DIY security no longer cuts it. Also, having an overworked general IT person coordinating your security efforts is a terrible idea.

As more and more companies move to cloud-based infrastructure, only the biggest companies with the deepest pockets will be able to handle security on their own. Everyone else will need to start thinking of security as a service, and, perhaps, eventually even a utility.

2. Private clouds that aren’t.
One way that security-wary companies get their feet wet in the cloud is by adopting private clouds. It’s not uncommon for enterprises to deploy private clouds to try to have it both ways. They get the cost and efficiency benefits of the cloud but avoid the perceived security risks of public cloud projects.

Plenty of private clouds, though, aren’t all that private. “Many ‘private’ cloud infrastructures are actually hosted by third parties, which still leaves them open to concerns of privileged insider access from the provider and a lack of transparency to security practices and risks,” said Geoff Webb, Director of Product Marketing for CREDANT Technologies, a data protection vendor.

Much of what you read about cloud security still treats it in outdated ways. At the recent RSA conference, I can’t tell you how many times people told me that the key to cloud security was to nail down solid SLAs that cover security in detail. If you delineate responsibilities and hold service providers accountable, you’re good to go.

There is some truth to that, but simply trusting a vendor to live up to SLAs is a sucker’s game. You – not the service provider – will be the one who gets blamed by your board or your customers when sensitive IP is stolen or customer records are exposed.

A service provider touting its security standards may not have paid very close attention to security. This is high-tech, after all, where security is almost always an afterthought.

3. Multi-tenancy risks in private and hybrid clouds.
Many companies, when building out their private or hybrid clouds, are hitting walls. The easy stuff has been virtualized, things like test development and file printing.

“A lot of companies have about 30 percent of their infrastructure virtualized. They’d like to get to 60-70 percent, but the low-hanging fruit has all been picked. They’re trying to hit mission-critical and compliance workloads, but that’s where security becomes a serious roadblock,” said Eric Chiu, President of virtualization and cloud security company HyTrust.

Multi-tenancy isn’t strictly a public cloud issue. Different business units – often with different security practices – may occupy the same infrastructure in private and hybrid clouds.

“The risk to systems owned by one business unit with good security practices may be undermined by the poor security practices of a sister business unit. Such things are extremely difficult to measure and account for, especially in large, multinational organizations,” Webb said.

Another issue is application tiers. In poorly designed private clouds, non-mission critical-apps often share the same resources as mission-critical ones. “How do most companies separate those?” asked Chiu.

“They air-gap it, so the biggest threat for most virtualization and private cloud environments is misconfiguration,” he said. “Eighty percent of downtime is caused by inappropriate administrative changes.”

4. Poorly secured hypervisors and overstressed IPS.
Every new technology brings with it new vulnerabilities, and a gaping cloud/virtualization vulnerability is the hypervisor.

“Many people are doing nothing at all to secure virtualized infrastructures. The hypervisor is essentially a network. You have whole network running inside these machines, yet most people have no idea what sort of traffic is in there,” Anthony said.

Buffer overflow attacks have been successful against hypervisors, and hypervisors are popping up in all sorts of devices that people wouldn’t think of as having them, including Xbox 360s.

Even when organizations believe that they have a handle on the traffic within their cloud environments, they may be fooling themselves, especially if they are relying on legacy security tools. Everyone knows that they need an IPS solution to protect their cloud deployments, but they have no idea what the actual scale of the problem is.

Moreover, many of these appliances have packet inspection settings that by default fail on. In other words, if the device is overwhelmed with, say, video traffic, the majority of traffic passes through as safe and only small samples are inspected for threats.

The IPS will typically trigger a low-level alarm or record this spike in a log, but how many IT units have time to look at logs unless they know they have a problem? Organizations are also slow to realize that they need an array of different protection in virtualized cloud environments than they had in traditional on-premise settings. Or they do realize this and are choosing to ignore it due to budget and time constraints.

The IBM security executives I talked to at RSA ticked off a number of security solutions they would recommend to better protect cloud environments, including IPS solutions with 20 GBps capabilities, DLP and application security. Much of what their advice boiled down to (see item #1 again) is that security is becoming too big of a problem to tackle for most organizations on their own.

5. Insider threats.
Are insider threats keeping you up at night now? Unfortunately, virtualization and the cloud ramp up the risk of insider threats – at least for the time being.

“A smaller number of administrators are now likely to have access to a greater amount of hosted data and systems than ever before, as the cloud systems are managed by a cloud infrastructure management team. This can leave sensitive data open to access by individuals who previously did not have access to it, eroding separation of duties and practices and raising the risk of insider attacks,” Webb said. The ability to walk off with key assets is also simply much easier to do, rights or not, in a virtualized environment than a physical one.

“When the banking restrictions came out, people were worried about someone walking into the physical data center and grabbing a rack of tapes and walking off with it,” Chiu said. Those fears spurred the much higher frequency of encrypting of data at rest.

How do you steal those same assets in a virtual environment, where data encryption is often still an oversight?

“If you have administrative credentials, you pick the virtual machine you want, right click and copy it,” Chiu said. It’s not that hard to spot someone walking out of the building with a box of tapes. A virtual machine on a USB drive isn’t going to raise a single eyebrow.

Source

Removing the Mist Surrounding The Cloud

Leave a reply

Key factors that organisations must consider before moving across to a cloud computing model.

The hype surrounding cloud computing is expected to reach unprecedented levels over the next few years. According to recent research by analyst Gartner, CIOs view the cloud as their top technology priority for 2011 and it expects the number of organisations using on-demand computing to rise to 43% within four years.

Despite being lured by the prospect of achieving significant cost savings and efficiency gains, not all organisations are ready to embrace cloud computing and some lack an adequate contingency plan in the event of it all going wrong. Neil Cross, Managing Director of leading managing services and cloud computing provider, Advanced 365, says that businesses should consider the following key factors before seeking to introduce cloud computing as part of their IT strategy.

Determine what you want to achieve and why
IT is about delivering improved business services, not just on ensuring the smooth-running of technology, so make sure you understand what you want to achieve as an organisation and why. Both public and private cloud options should be thoroughly reviewed alongside non-cloud alternatives with the benefits and drawbacks of each being given fair consideration. Moving to cloud computing just because it’s the latest buzz in IT isn’t a good enough reason and your project is likely to fail.

Understand your business drivers as well as the IT drivers
The pressure to achieve efficiency savings may encourage more IT teams to look at moving to a cloud computing model. However, it’s essential that any changes made to IT infrastructure are suited to the needs of the business first rather than being modified to fit the IT department’s preferred cloud platform.

Fail to prepare, prepare to fail
It might seem obvious, but make sure you plan thoroughly and decide how your chosen cloud solution is going to be integrated, managed and monitored. Although it’s possible to access ‘on demand’ cloud services in a matter of minutes with the aid of a credit card, you should not become complacent about the level of planning that is required to ensure that your project is a success.

Reducing complexity is as important as reducing cost
Compared with managing your IT systems exclusively in-house, cloud computing may not be a cheaper option due to the additional costs of accessing cloud services on-demand and having to retrain your staff. Introducing a new cloud supplier to your business could also create more management complexity into your IT infrastructure if you’re uncertain as to how this supplier will be managed and how you are going to link your various applications together.

Think about the risks
Though cloud computing brings undoubted business benefits, organisations also need to consider carefully the potential risks. Is your data going to be held safely and securely on the cloud and are you satisfied that your cloud supplier is reliable and experienced enough to provide your business with the necessary service-level provision you require?

Choose the right partner
It is essential to work with specialist cloud partners that can manage their services in line with your organisation’s requirements. Check that your partner can provide you with an end-to-end service combining service level management, service desk facilities, remote monitoring, advanced reporting capabilities and complete data transparency to help minimise the risk of integrating your systems into the cloud. You should pay particular attention to whether your cloud provider’s service desks run 24/7 so that they can react quickly to keep downtime to a minimum.

Ensure your service level agreement is appropriate for your business
In the event of a business-critical application going down, you need to be reassured that your cloud provider has the expertise and skills to get it up-and-running again as quickly as possible. Ensure that your provider offers service level agreements (SLA’s) that are appropriate for your business which cover almost any eventuality. The most effective cloud partners can offer multiple SLA’s for a single customer giving the business peace-of-mind at all times.

The increase in acceptance towards cloud computing will undoubtedly lead to a surge in uptake as organisations continue to wrestle with having to make deep spending cuts. However despite the many advantages to be gained by embracing cloud applications, they do not represent a magic wand for organisations to solve existing business issues. It’s important to consider the move to cloud computing very carefully and ensure that your organisation is practically and culturally ready to gain the most from what the cloud has to offer.

Source