The security experts’ guide to the cloud...
What do you get when you gather nine of the top IT thinkers to talk about cloud security? Professional advice and help with your cloud strategy.
And it’s all in GFI Software’s new 43-page eBook The security experts’ guide to the cloud.
In the guide, IT media vet Frank J. Ohlhorst cautions that Distributed Denial of Service (DDoS) attacks are still very much alive, moving at lightning speed across the cloud, and ready to attack your web servers and other apps.
In fact, some of the very devices used to speed up our applications, such as Application Delivery Controllers (ADC), can themselves be attacked.
The answer? Take web security seriously and properly configure your ADCs so they can ward off DDoS.
There are eight more important and compelling pieces, including: The early fears about the cloud revolved mainly around security, or the perceived lack thereof. Marketing guru, technologist and author Nick Cavalancia has a decidedly different take - he thinks the cloud should and can be trusted.
That’s because there are a bevy of large and trustworthy providers who have built tons of redundancy into their networks. And these well-heeled companies can afford the best servers, storage, network pieces and software.
Ongoing security fears also have some holding back from using the cloud for storage. And with some services such as Gmail having outages and losing data, these fears aren’t entirely misplaced.
But this should not be a cloud storage deal breaker.
Instead good planning and setting requirements such as having strong encryption can make cloud storage safe to use, says storage expert Deni Connor.
But while Cavalancia has faith in the cloud, Microsoft MVP Brien M. Posey sees more cause for concern - for instance with SaaS, you are not in charge of how the data is secured as you would be running the app in-house.
“There are two reasons why this type of security may prove to be problematic for SaaS customers," Posey argues.
"The first reason is loss of control. SaaS customers cannot use their preferred security software to protect their cloud based applications.
“The other reason why the inability to run third party security in a SaaS environment may prove to be problematic has to do with manageability.
"Oftentimes organisations use security software that offers centralised reporting capabilities.
"Such a feature may give the organisation a way to monitor security and health through a single pane of glass. The introduction of SaaS means that there will likely be cloud based applications that cannot be monitored using the organisation’s preferred software.”
ZDNet columnist Ed Bott weighs in with some advice to keep your cloud data private – especially when using cloud storage:
“Cloud storage is probably the purest example of the tension between convenience and security in modern computing," he claims.
"When you move your data to the cloud, you make it possible to access those files from anywhere.
"But that flexibility comes at a steep cost: Anyone who can sneak into that cloud server can access all your secrets, and you might never know."
The answer is to control who has access to your files, make sure strong passwords are in use, and to encrypt everything.
Identity management is one area where the cloud can both hurt and help. On the hurt site, so many services mean umpteen passwords which greatly increase exposure to hackers.
But a proper approach to identity management can cure these ills, or so says Debra Littlejohn Shinder:
“The basis of all computer security is controlling access – limiting the ability to view or change data or settings to only those persons and/or devices that are authorised to do so," she says.
"That control begins with properly identifying everyone who attempts access. Centralised identity management systems based on directory services have been in place for a long time within organisations, and have grown to span multiple organisations in the form of identity federation.
"Now identity management has expanded its scope again, to encompass cloud services with a global user base."
Dana Gardner, principal analyst for BriefingsDirect, believes cloud security is a moving target, and not necessarily moving in the right direction.
Part of the problem is the massive rise in cloud services, all of which need to be secured. Another issue is that too many of these services are far from enterprise ready. In fact, 93% of these services are not up to enterprise snuff.
The answer is to carefully select the services your company uses and the infrastructure they run upon.
By Doug Barney, writer/editor for GFI Software