Security compliance, addressed either by physical controls or logical controls, will still apply whether you operate on your premises or in a virtual environment. Virtual environments just make this harder and when you rely upon a third party the phrase “trust but verify” is an apt response to ensure that this particular computing model does not open up additional holes in a company’s security posture.
Before this topic gets blown out of proportion it would be good review The 2010 State of Cybersecurity from the Federal CISO’s Perspective – An (ISC)2 Report. Chief information security officers and information security officers from various U.S. federal agencies responded to questions regarding top security threats, the tools and functions necessary to develop effective security programs, and concerns around issues such as cloud computing.
This report cited that 51% of the most severe threats come from software exploits and insiders. These issues will exist whether you use Cloud Computing or in-house computing capabilities. Virtual environments however add a layer of complexity because now other companies share the same environment.
Software driving security problems
Data Loss/Leakage: Some applications could be leaking data as a result of weak API access control and key generation, storage and management. Developers sometimes create an open port that might not follow any prescribed standard. If that application resides on the same virtual farm and switching fabric, it is possible to create problems for two different companies.
Insecure Application Programming Interfaces: Building security into an application has never been on the forefront of developers. Just think how much money and time Microsoft has spent trying to retrofit security. Cloud Computing is a new platform and not merely an outsourcing business technique. Developers have to be aware of authentication, access controls, and encryption within the application and not assume someone else will carry that ball.
Insiders now cover a wider group (you and the service provider)
Shared Technology Vulnerabilities: Misconfiguration (read as mistakes) can be duplicated across an environment where many virtual servers share the same configuration. Understanding patch management and configuration management from the vendor becomes crucial.
Malicious Insiders: The level of background checks providers perform will likely differ compared to how enterprises usually control data center access for support. The staff may not be located in the geographic region (e.g., India versus USA) and privacy laws will be different. Companies need to perform a supplier assessment and outline a level of employee screening.
Account, Service and Traffic Hijacking: A lot of data, applications and resources are concentrated in the cloud where, with weak authentication, an intruder can access a user account and get at that customer’s virtual machines. There are mechanisms to thwart this, but you should not try to implement two-factor authentication after you sent the application to the cloud.
Comments