This article can also be found in the Premium Editorial Download "Information Security magazine: Outsourcing security services."
Download it now to read this article plus other related content.
Back in 2009, some researchers at Sensepost Security in South Africa decided to poke around in the security mechanisms of a couple of the major cloud providers. The results were presented at Black Hat and Defcon. The researchers set limits for themselves so that they didn’t run afoul of the law, but still managed to find some fairly amusing gotchas. They were nice about it and passed along their findings to the relevant cloud providers. And none of the security holes they uncovered resulted in major breaches or takedowns.
Still, it made a skeptic out of me where cloud security was concerned. For a couple of years, my answer to “how do you secure the cloud?” was “it can’t be done.”
I’m still pretty skeptical about cloud security. I’ve grudgingly come to recognize, however, that some pretty good work is going on, to make it possible to control the quality of security you get in Web deployments, and to monitor what’s going on in your slice of the cloud.
Even if application security in the cloud isn’t yet ironclad, it’s increasingly attractive to use the cloud as a platform for offering security services. Mike Chapple takes a look at this in our cover feature, noting that many organizations are finding themselves outsourcing parts of their security efforts so that they can meet the requirements of the Payment Card Industry Data Security Standards (PCI DSS). Chapple’s article doesn’t stress this point, but I think it’s worth considering that some services, such as vulnerability scanning, directly benefit from a cloud service provider’s experience across many organizations.
Marcus Ranum’s conversation with Randy Sabett, counsel at ZwillGen PLLC, looks at a related part of the cloud conversation: how do you know you’re getting good service where security is concerned? And when will cloud providers boil down the wide and confusingly described security provisions in their service-level agreements (SLAs) to some sort of coherent set of standard offerings? Sabett, at least, feels that the concerns security practitioners should focus on when making an SLA comes down to four or five key elements, so perhaps there’s hope.
Elsewhere in the issue, Lynn Goodendorf looks at another landscape-shifting force in computing these days: the rise of big data. Not surprisingly, we in the security industry are interested in the security implications. In Goodendorf’s article, the focus is on privacy (or perhaps it’s more correct to say, the lack of privacy). And once again, we find ourselves looping back to the cloud, which Goodendorf argues is a prerequisite for implementing big data in a cost effective way. Cloud is needed, but she believes that “the competency required to ensure the security and privacy of data in the cloud is generally lacking.”
In short, cloud and big data, mixed together in liberal quantities, raise some of the most interesting questions we’re dealing with in the IT security field. Where big data is concerned, the Federal Trade Commission is already involved, as Goodendorf notes, and one suspects that more legislation could be in the wings. While privacy experts are grappling with what sorts of controls are appropriate, I can’t help but wonder whether society has had enough experience with the potential invasions that big data enables, to arrive at the kind of consensus that make effective legislation possible.
Send comments on this column to firstname.lastname@example.org.
This was first published in February 2013