Cloud Security Still as Unpredictable as the Weather

Amid the frenzied adoption of all forms of cloud computing, there has been a disproportionate amount of noise produced by IT vendors scrambling for a piece of the action. Security vendors are certainly complicit, as most of them attached the word “cloud” to whatever they were selling and labeled it “cloud security” without actually providing it. Few of them are genuinely addressing the unique security issues presented by deploying applications to the cloud or adding any value to companies that are scrambling to understand the security risks involved. Everyone is instinctively convinced that there are increased security risks with moving to the cloud, but they’re difficult to identify and mitigate. In fact, several technology analysts have found that uncertainty over cloud security is the primary barrier to adoption or concern that companies have as they contemplate moving parts of their business to the cloud.

 

Last week the National Institute of Standards and Technology (NIST) began weighing in on the topic with a draft of its guidance for safely and effectively using cloud computing in any form – private, public or hybrid. This document –  NIST Special Publication 800-146: Cloud Computing Synopsis and Recommendations – lays out general definitions and use cases and ultimately tries to provide “guidelines and recommendations on how organizations should consider the relative opportunities and risks of cloud computing.” Overall, it’s a great description of many of the options and considerations for the various forms of cloud computing, but it leaves readers wanting more concrete actions they can  take to protect their applications in the cloud. Their basic conclusion is that you need all of the same security controls that you would put in place for a physical infrastructure; you just need them all in the cloud.

 

This statement sums up well their position on security guidance:

“A number of considerations affect security of data and processing conducted in a cloud. For example, the quality of a cloud's implementation, the attack surface of a cloud, the likely pool of attackers, system complexity, and the expertise level of cloud administrators are a few considerations that affect cloud system security. Unfortunately, none of these considerations is decisive regarding cloud security and there are no obvious answers when comparing cloud to non-cloud systems as to which is likely to be more secure in practice.”

 

In other words, “We’re pretty sure the cloud is less secure, so do what you would normally do to secure your systems. And then hope for the best.”

 

NIST is missing an opportunity to take a decisive stance on the only reliable way to secure cloud systems: secure the software that runs your applications before you ever think about deploying it to the cloud. Vigorously test for security during development. Repeatedly test for security before deployment. Understand and remediate the software code-level vulnerabilities while your application is in a controlled environment. Demand proof from your cloud provider that they are testing the infrastructure for security. Ask for proof from your cloud provider that the your neighbors in the cloud are also securing their software, because you’re at risk of being only as secure as the lowest common denominator whose carelessness could put the whole neighborhood at risk.

 

The NIST draft is definitely correct and informative in everything it points out as a serious security consideration, like the risks of multi-tenancy, failure of logical separation of resources, effective data protection and encryption, and business continuity. But it falls short of effective recommendations that organizations can act on. When it comes to the applications that you’re thinking of deploying to the cloud, if you invest the time in effort in software security assurance to harden your software, then you can more confidently move to the new limitless and elastic world of cloud computing.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.