By Sue Poremba
Even though cloud computing is becoming more ubiquitous in the business setting, questions about cloud computing security continue to hamper its adoption. There are still a lot of corporate decision makers and even IT professionals who aren’t sold on cloud security because a number of myths and misconceptions cause confusion. It’s time to eliminate the misunderstandings and focus on the truths of security threats in cloud computing.
Misconception #1: The public cloud is more easily breached.
Truth: Just because the public cloud is publicly accessible does not mean that your infrastructure is available to the public Internet, according to JP Morgenthal, a director with
Misconception #2: All cloud apps are created equal.
Truth: You don’t use all of your cloud applications equally, so your security for cloud computing shouldn’t be a one-size-fits-all endeavor. “You need to treat each cloud application on a context basis,” explained Yair Grindlinger, co-founder and CEO of FireLayers. That means, depending on the sensitivity of the data, the profile of the user, the intended use of the data and other factors, different policies can be put into place to manage session authentication, data distribution control and other threats. “Privileged users may represent ten percent of your cloud users, yet they can cause eighty percent of the damage if their login credentials are stolen and taken over by hackers,” Grindlinger added.
Have you believed any of the misconceptions concerning security threats in cloud computing?
Misconception #3: You can rely on the cloud service provider to protect your business.
Truth: “Most users of cloud-based services wrongly assume that the service provider is responsible for managing the data, access and usage of their service. This just isn't the case,” said Grindlinger. “Cloud service providers are charged with ensuring that their application and IT infrastructure is secure and in working order. It’s your obligation to manage passwords, protect against identity fraud, prevent loss or theft of devices, encrypt sensitive data, provide access to devices via secure networks and a host of other risk mitigation activities.”
Len Whitten, Senior Director Product Management at Sungard Availability Services, agreed:"A service provider can provide all the security, mitigation, and responses possible, but security will always be a shared responsibility with a customer. However, a service provider can certainly protect the rest of the infrastructure from noisy neighbors, DDS attacks, and other security concerns. In a multi-tenant environment, it is critically important that the provider ensure that for all intents and purposes it behaves as if it is a single-tenant infrastructure."
Misconception #4: The end user is powerless when it comes to securing the cloud.
Truth: This goes hand-in-hand with misconception #3. As an end user, you do have some control over security, and you should exert that control, both over your data but also within your relationship with your cloud provider. As Simon Bain, SearchYourCloud CEO, pointed out, on the corporate level, this means not allowing the cloud provider to hold encryption keys; on a personal level, this means being careful about what information is placed in a cloud store or social media network, or about how you behave regarding online banking or e-commerce.
Misconception #5: The corporate network provides protection even when using cloud apps.
Truth: Where it once had a firewall that separated sanctioned from malicious access to the Internet, mobility and the cloud have extended the enterprise network and exposed it to new risks, Gridlinger pointed out. So a new kind of security solution is required: a secure cloud gateway which can protect the interaction between the corporate network and the cloud.
Misconception #6: The real problems are the lack of security features, gotcha contracts, and no transparency.
Truth: While all those vendor issues can be real, the biggest risk is the use of “rogue cloud services” by your employees, said Dan Lohrmann, Chief Strategist and Chief Security Officer at Security Mentor. Some people call this “shadow IT” but, whatever it is called, employees are going to thousands of websites that are “free” but not safe. “The biggest cloud risk is not knowing what is truly going on regarding your enterprise network traffic in your business, where people are going with data, and/or what they are doing,” he said.
Misconception #7: have strong authentication mechanisms broadly implemented.
Truth: Unfortunately, cloud applications have been slow to do adopt strong authentication. Most still rely on nothing but the username and password method, according to Andrew Humber, Senior Director, Marketing with AGNITiO. “We believe that anything less than multifactor authentication is dangerous, considering how many networks with critical assets stored in the cloud could be affected in a massive domino-effect breach -- with unknowable repercussions threatening core networks,” he said.
Securing data stored in the cloud can be a daunting task, especially if all you hear are the myths. The more you know about the truth of security within the cloud, the more confident you’ll be about adopting cloud applications.
Additional Materials:
1. Sungard AS is Making a Difference in the World of Cloud Computing Video
