Companies are under increased pressure to cut costs and are turning to a variety of Web-based services, from online collaboration tools to social networking platforms, without considering the increased risks they pose and in some cases failing to inform IT security.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
Two studies released today from EMC's RSA security division address the increased risks posed by cloud-based services and social networking. The 2009 IDG Research Services survey, commissioned by RSA, surveyed 100 security executives at companies with revenues of $1 billion or more. It found that many organizations lack a security strategy to address the risks associated with cloud-based services.
Nearly half of those surveyed either have enterprise applications or business processes running in the cloud or are beginning migration in the next 12 months. Yet, two-thirds do not have a security strategy in place for cloud computing, the survey found.
XSS bugs, information leakage top list of website vulnerabilities: Companies are moving more rapidly to correct errors by feeding virtual patches into Web application firewalls, according to WhiteHat founder and CTO Jeremiah Grossman.
Stolen FTP credentials likely in massive website attacks: The latest website attack techniques use stolen user credentials instead of website vulnerabilities to crack websites and spread malware.
"The rapid adoption of nascent Web, social and mobile technologies combined with the rising use of outsourcing is quickly dissolving what remains of the traditional boundaries around our organizations and information assets," Art Coviello, executive vice president at EMC and president at RSA said in a statement.
It is the third study in recent months that address the risks associated with the growing use of Web-based services. A recent survey conducted by independent research firm Dynamic Markets Ltd. and commissioned by security vendor Websense Inc. found that IT professionals are under pressure from upper level executives to relax Web security policies. In a separate study, website vulnerability assessment vendor WhiteHat Security Inc. highlighted the top vulnerabilities plaguing websites, putting users of Web-based services at risk.
Making matters worse, some security professionals are not being informed when new cloud-based technologies are being used within an organization, according to the IDG Research survey. More than 8 of 10 respondents are concerned that pressure to cut costs and generate revenue has increased their exposure to security risks.
A second study released by RSA called "Charting the Path: Enabling the "Hyper-Extended" Enterprise in the Face of Unprecedented Risk," offers up recommendations from the Security for Business Innovation Council, a group of 10 security executives chosen by RSA. The executives identify seven ways to properly address the threats posed by cloud-based services and have a strategy in place to protect against data leakage.
Security pros risk being outsourced to the cloud, according to the report. Security teams need to find ways to communicate their value or risk being ignored when the company turns to external service providers to cut costs. Security should be involved in assessing external service providers to examine their capabilities, performance and how they fit into the company's current environment.
"Looking forward, security services in many enterprises will be delivered by an internal team in conjunction with a tightly-integrated supply chain of vendors and external service providers," according to the report. "This will require the internal team to determine their set of security offerings and then honestly assess their own internal capabilities."
The report also suggests security professionals work with the business to create a transition plan for the use of cloud computing. For the increased use of social networking websites, the report recommends against blocking their use and urges the development of an acceptable use policy with an emphasis on user education to secure company data.
Companies should also consider more accurate ways to monitor the environment to detect anomalies and address problems before they become a major problem. It advises organizations to move away from signature-based antivirus and blacklisting and instead adopt behavior-based monitoring and whitelisting technologies.
"We need to develop an intelligence capability so we know what's coming and we can prevent things from happening in the first place," Dave Cullinane, CISO and vice president of eBay Marketplaces said in the report. "It means moving to a more preventative security model and being able to share information with each other."