Hanna, who also holds the title of distinguished engineer with Juniper Networks, said most cloud security concerns come about when organizations move their data, servers, or applications into a ‘public’ cloud and hand over control to the provider. It was these potential threats that he highlighted during his CSI Conference session titled ‘Stormy Weather: Securing Cloud Computing’.
Resisting the migration toward cloud-based services is a futile endeavor in Hanna’s opinion, who said that security pros must simply “manage the process carefully”. This is because the primary benefit of the cloud – reduced costs – is nearly impossible to resist in cases where organizations, minus regulatory or compliance prohibitions, are free to move either storage or processes over to a third-party cloud provider.
Of course there are other concerns with the cloud, Hanna noted, but issues within the CIA framework (confidentiality, integrity, and availability) will likely, in the long run, take a backseat to the cost-savings benefits.
“In some cases, the cloud can actually be a benefit from a security standpoint”, Hanna added, highlighting the fact that most smaller organizations have extremely limited resources available for security. “For small and medium-sized businesses, provider security is probably already exceeding, by far, what the [business] has. There are no guarantees in this sense, but it’s quite likely.”
Hanna recommends the Cloud Security Alliance’s guidance on cloud security threats for organizations contemplating movement to a third-party provider. He outlined several specific threats to consider:
- Failures in cloud provider security
- Attacks by other customers within the same public cloud
- Availability and reliability issues
- Legal and regulatory restrictions (some compliance regimes prohibit the use of third-party cloud storage)
- Integrating cloud provider and cloud customer security practices
Because it is the lifeblood of their business, Hanna said that most cloud providers have gone to great lengths to ensure greater availability of services. However, one of the most intriguing aspects of cloud security, according to Hanna, is the last point: integrating provider and customer security policies.
The issue with integration is that both customer and provider each maintain their own security systems, which prompted Hanna to ask: “How do you make sure these are in sync? Will you get notified if the cloud provider is attacked?”
The major issue here is that misbehavior in the cloud is often not reported to the customer. Hanna contends “you must, at the very least, integrate your identity and management access controls” with cloud providers to prevent unauthorized access to data and applications being stored in the cloud.