Security challenges with cloud computing services

By Marcia Savage, Features Editor, Information Security magazine 21 Sep 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

If you entrust a cloud provider with your data, how is encryption handled, if at all? What about user authentication? What about data breach liability?

Those were some of the issues raised during a panel discussion on the security challenges with cloud computing services at last week's Bay Area SecureWorld in Santa Clara, Calif. "We're not saying the cloud is bad. There is a lot of good there, but we want to bring the challenges to your attention," said panelist Tim Mather, a security advisor and a founding member of the Cloud Security Alliance (CSA).

One of the major cloud security issues is encryption, he said. If data is processed in the cloud it needs to be decrypted, while some providers don't even offer encryption. And if encryption is used, key management becomes a big issue, he said: "Who manages the keys?"

Cloud computing services: Cloud computing group to tackle security concerns: A new organization will address the security concerns inherent with cloud computing. Cloud computing security group releases report outlining trouble areas: The non-profit Cloud Security Alliance says its comprehensive report serves as the starting point for a broader discussion on cloud computing security issues. Three cloud computing risks to consider: Cloud computing carries risks that enterprises need to weigh before they forge ahead.

The role of network security decreases when moving into the cloud, making user-based controls more critical, said Subra Kumaraswamy, senior security manager at Sun Microsystems Inc.

"A key area to focus on is federation, which allows SSO [single sign-on]. … Not every cloud is equal. A majority of providers don't support SAML [Security Assertion Markup Language]," he said. "Emphasize SAML and force them to support it."

Man-in-the-middle attacks and Trojans will pose problems in cloud computing, making it important that organizations understand their strong authentication options with a cloud provider, said Kumaraswamy, also a CSA founding member. And if a company uses two-factor authentication, there's the question of how that transfers to the cloud, he said.

Another focus for cloud computing services customers should be authorization -- what users can do in the cloud. "Not all providers support that role-based access control," he said.

"There are different kinds of clouds. Some are more secure than others," said panelist Izak Mutlu, CISO of Software as a Service (SaaS) provider Salesforce.com.

Early on, his company implemented security, he said. The company engages third-party security firms to audit its security and performs internal security audits. "We are very transparent," he said.

Security improvements at Salesforce.com have widespread benefits, Mutlu noted: "Every enhancement we make for security affects all our customers."

The panel also addressed the issue of liability in the event of a security breach involving a service provider with a shared, multitenant application. Mutlu said liability depends on how the customer negotiates its contract with the service provider.

In a keynote at the conference, Nils Puhlmann, co-founder of the Cloud Security Alliance, said cloud computing presents risks but also opportunities to security pros.

SearchSecurity radio:

With the SaaS model of cloud computing, it's incumbent on the customer to ensure the provider has enough security functionality, he said. However, if a large customer, for example, asks a SaaS provider for a particular security control, the provider will undoubtedly implement the control, which will benefit the providers' other customers, Puhlmann said.

"We can actually raise the bar from a security perspective," he said.

Cloud vendors are often non-committal about security, but sometimes that might be because they are startups and don't understand it, he said, adding, "In most cases, you can educate them."

The nonprofit CSA formally launched in April with a goal of sharing best practices on cloud computing security. The group, which has more than 4,000 members, released a paper outlining more than a dozen areas it says must be addressed to better secure cloud computing environments. Puhlmann said CSA expects to release the second version of the document in October.

Tags: Secure SaaS: Cloud services and systems,  Virtualization Security Issues and Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure SaaS: Cloud services and systems Cloud computing data security starts with internal strategy, experts say Network security expert urges hardening of cloud protocols Is Identity Management as a Service (IDaaS) a good idea? Burton Group warns of cloud computing risks Researchers say search, seizure protection may not apply to SaaS data McAfee to acquire email SaaS vendor MX Logic How secure is 'Platform as a Service (PaaS)?' When to use the service features of the Metasploit hacking tool Cloud-based security services should start private Cloud computing security: Infrastructure issues Virtualization Security Issues and Threats Cloud computing data security starts with internal strategy, experts say PCI virtualization SIG closer to proposing changes to standard Secure virtual desktop software enables remote client security Security threats to virtual environments less theoretical, more practical At VMworld 2009, companies focus on virtual desktops for security Security fundamentals remain focus of virtualization deployments How to implement virtual firewalls in a complex network infrastructure How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Virtual appliances boost flexibility, improve security

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary