itb-nz logo
Story image

Security: Clouds biggest challenge?

01 Dec 2011

Organisations are today acknowledging in an unprecedented way, the benefits of the cloud infrastructure and the potential opportunities that it can deliver. However when considering cloud solutions, organisations need to factor in a greater focus on the importance of security technologies and the investment in security infrastructure required to keep data safe. The traditional rule of thumb of investment in data security is no longer adequate. For the business sector this means that information security specialists more than ever need to become trusted advisors, whether on a regular or project-based engagement. The major concern around cloud hosting and cloud applications is a lack of access controls between an organisations’ systems and application accounts. You no longer know who is located on the same network as you. Hackers can now sit on the same network as you and have far more direct attack techniques available to them.  These techniques bypass access controls to attack your systems. Cloud hosting is almost always implemented on virtual infrastructure, causing Virtualisation Threats to also be available to hackers. For ISPs, hosting providers, and cloud application providers they face the challenge of having the data that they store compromised, which inevitably leads to undermining the safety of the data. "Professional cloud storage providers will offer well documented and audited security controls,” Pure Hacking CTO Ty Miller says. "We have certainly determined that despite claims to be secure, some cloud-hosting providers are in fact vulnerable following a routine penetration test. And the rule of thumb on this is that the more cost-efficient the cloud-hosting provider, the greater the incidence of security issues,” he continued. "The reality of these cloud environments is that you will often see multiple cloud machines hosted in the same environment as many as 20 – 30 other machines controlled by other ‘owners’. These can all be independent and the actual ‘owner’ unknown. There is nothing stopping a hacker purchasing the control of one of these machines and gaining access to the DMZ of another organisation and begin a sustained attack of its corporate data.” Miller recommends that organisations don’t rely on the marketing documentation of cloud hosting providers, instead he is encouraging organisation to employ industry experts, with field experience, to evaluate the security of their cloud systems to ensure that the risk associated with cloud provider compromise is minimised. For those organisations considering cloud-hosting services they need to create a set of data security policies that can help them navigate a new global security environment, where malicious attacks are increasing. Organisations need to ask themselves if they truly understand what data they are transferring to the cloud and what the outcomes of cloud attacks are. They need to ask:

  • Do I have a data classification policy and understand the classification of data in the cloud?
  • Do I have an up-to-date data register?
  • Does this cloud system expose my sensitive data to the outside world?
  • If my data is disclosed, what are the likely consequences?
  • What is my backup data plan and how do I manage the redundancy of stored data?