RSA council addresses growing security risks in the cloud

By Robert Westervelt, News Editor 09 Jun 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

Companies are under increased pressure to cut costs and are turning to a variety of Web-based services, from online collaboration tools to social networking platforms, without considering the increased risks they pose and in some cases failing to inform IT security.

Two studies released today from EMC's RSA security division address the increased risks posed by cloud-based services and social networking. The 2009 IDG Research Services survey, commissioned by RSA, surveyed 100 security executives at companies with revenues of $1 billion or more. It found that many organizations lack a security strategy to address the risks associated with cloud-based services.

Nearly half of those surveyed either have enterprise applications or business processes running in the cloud or are beginning migration in the next 12 months. Yet, two-thirds do not have a security strategy in place for cloud computing, the survey found.

"The rapid adoption of nascent Web, social and mobile technologies combined with the rising use of outsourcing is quickly dissolving what remains of the traditional boundaries around our organizations and information assets," Art Coviello, executive vice president at EMC and president at RSA said in a statement.

It is the third study in recent months that address the risks associated with the growing use of Web-based services. A recent survey conducted by independent research firm Dynamic Markets Ltd. and commissioned by security vendor Websense Inc. found that IT professionals are under pressure from upper level executives to relax Web security policies. In a separate study, website vulnerability assessment vendor WhiteHat Security Inc. highlighted the top vulnerabilities plaguing websites, putting users of Web-based services at risk.

Making matters worse, some security professionals are not being informed when new cloud-based technologies are being used within an organization, according to the IDG Research survey. More than 8 of 10 respondents are concerned that pressure to cut costs and generate revenue has increased their exposure to security risks.

A second study released by RSA called "Charting the Path: Enabling the "Hyper-Extended" Enterprise in the Face of Unprecedented Risk," offers up recommendations from the Security for Business Innovation Council, a group of 10 security executives chosen by RSA. The executives identify seven ways to properly address the threats posed by cloud-based services and have a strategy in place to protect against data leakage.

Security pros risk being outsourced to the cloud, according to the report. Security teams need to find ways to communicate their value or risk being ignored when the company turns to external service providers to cut costs. Security should be involved in assessing external service providers to examine their capabilities, performance and how they fit into the company's current environment.

"Looking forward, security services in many enterprises will be delivered by an internal team in conjunction with a tightly-integrated supply chain of vendors and external service providers," according to the report. "This will require the internal team to determine their set of security offerings and then honestly assess their own internal capabilities."

The report also suggests security professionals work with the business to create a transition plan for the use of cloud computing. For the increased use of social networking websites, the report recommends against blocking their use and urges the development of an acceptable use policy with an emphasis on user education to secure company data.

Companies should also consider more accurate ways to monitor the environment to detect anomalies and address problems before they become a major problem. It advises organizations to move away from signature-based antivirus and blacklisting and instead adopt behavior-based monitoring and whitelisting technologies.

"We need to develop an intelligence capability so we know what's coming and we can prevent things from happening in the first place," Dave Cullinane, CISO and vice president of eBay Marketplaces said in the report. "It means moving to a more preventative security model and being able to share information with each other."

Tags: Platform and OS Security Management,  Secure Coding and Application Programming,  Data Protection Solutions and Strategy,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Platform and OS Security Management Microsoft issues advisory on new IE security vulnerability Microsoft patches SMB flaws, Hyper-V problem in big update Microsoft blue screen affecting few corporate PCs Microsoft to fix 26 flaws in Windows, Office Thin-client technologies surge thanks to easier security, says Deloitte Microsoft issues critical security update, blocks IE 6 attacks How to use Windows XP Mode in Windows 7 Microsoft to patch single Windows 2000 vulnerability How to prevent memory dump attacks Microsoft gives Internet Explorer a major security overhaul Secure Coding and Application Programming Improving software with the Building Security in Maturity Model (BSIMM) SANS Institute, MITRE release new top 25 dangerous coding errors list Code complexity analysis: How to keep it simple Active PDF attacks target Reader, Acrobat zero-day vulnerability Software piracy group offers cash to whistleblowers SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent attacks H.D. Moore speaks about Metasploit Project deal, Release 3.3 Metasploit Project acquired by vulnerability management firm Rapid7 Will Web application firewalls (WAFs) catch most security vulnerabilities? Data Protection Solutions and Strategy NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Creating and enforcing a clear-desk policy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary