Udo Schweigert, a security analyst who runs the computer emergency readiness team at Siemens AG, says his company is well-versed in dealing with cloud providers but that work remains.
The German-based technology giant has more than 450,000 employees in 180 countries. So it wasn't surprising that a division in Japan contracted with one software-as-a-service provider while the company's sales offices in Russia chose another to suit their needs, Schweigert says. Siemens moved quickly to develop policies and educate business users about the importance of data security when choosing a cloud provider. The company's work isn't done, however. More policies are needed to address cloud-based infrastructure and platform providers, he says.
"We were lacking risk management with many of these projects," Schweigert says. "That's why we've made it part of our corporate risk management strategy."
Cloud computing was a hot topic at June's Forum of Incident Response and Security Teams (FIRST) Conference 2010, where Schweigert spoke on a panel. FIRST attendees -- many of them members of security response teams -- are wrestling with cloud computing concepts and trying to understand how cloud computing might change the way first responders address security threats. They didn't get any clear-cut answers from cloud and security experts at the conference, but one message was clear: tread carefully when moving into the cloud.
Fundamental security technologies work like they always have, but certainly enterprises shouldn't rely on the service provider to maintain data security, experts say. Consequently, security professionals need to approach cloud computing matters delicately, says Chris Hoff, director of cloud and virtualization solutions at Cisco Systems and a well-known speaker and blogger on cloud computing issues. Business units see the cost savings associated with moving to the cloud, but can easily overlook or even ignore the risk assessment, Hoff says.
"Our ability to influence those decisions and have a rational conversation can be very difficult sometimes," Hoff says. "We can't run around and say the sky is falling because we're not going to be taken seriously."
Setting an appropriate risk posture by knowing the kind of data that can reside at cloud providers and the intellectual property and other data types that need to be fully safeguarded from cybercriminals is a good first step, says Dave Aitel, a noted security expert and chief technology officer of Miami-based assessment and penetration vendor Immunity. Aitel adds that the assumptions people make with cloud computing -- cost benefits and increased efficiencies -- are often different than the results they get.
"Attackers are always looking for opportunities to exploit that gap between the assumptions you're making and the reality," Aitel says.
Jose Nazario, a botnet expert and senior security researcher at Arbor Networks, calls cloud-based services the inevitable next stage for enterprises. However, he says security experts are still learning about the threats posed by the cloud.
"We can't fully understand and quantify the risks and we've been doing this stuff for the past 20 years," Nazario says.
Robert Westervelt is the news editor of SearchSecurity.com. Send comments on this article to firstname.lastname@example.org