Security challenges with cloud computing services

By Marcia Savage, Features Editor, Information Security magazine 21 Sep 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

If you entrust a cloud provider with your data, how is encryption handled, if at all? What about user authentication? What about data breach liability?

Those were some of the issues raised during a panel discussion on the security challenges with cloud computing services at last week's Bay Area SecureWorld in Santa Clara, Calif. "We're not saying the cloud is bad. There is a lot of good there, but we want to bring the challenges to your attention," said panelist Tim Mather, a security advisor and a founding member of the Cloud Security Alliance (CSA).

One of the major cloud security issues is encryption, he said. If data is processed in the cloud it needs to be decrypted, while some providers don't even offer encryption. And if encryption is used, key management becomes a big issue, he said: "Who manages the keys?"

The role of network security decreases when moving into the cloud, making user-based controls more critical, said Subra Kumaraswamy, senior security manager at Sun Microsystems Inc.

"A key area to focus on is federation, which allows SSO [single sign-on]. … Not every cloud is equal. A majority of providers don't support SAML [Security Assertion Markup Language]," he said. "Emphasize SAML and force them to support it."

Man-in-the-middle attacks and Trojans will pose problems in cloud computing, making it important that organizations understand their strong authentication options with a cloud provider, said Kumaraswamy, also a CSA founding member. And if a company uses two-factor authentication, there's the question of how that transfers to the cloud, he said.

Another focus for cloud computing services customers should be authorization -- what users can do in the cloud. "Not all providers support that role-based access control," he said.

"There are different kinds of clouds. Some are more secure than others," said panelist Izak Mutlu, CISO of Software as a Service (SaaS) provider Salesforce.com.

Early on, his company implemented security, he said. The company engages third-party security firms to audit its security and performs internal security audits. "We are very transparent," he said.

Security improvements at Salesforce.com have widespread benefits, Mutlu noted: "Every enhancement we make for security affects all our customers."

The panel also addressed the issue of liability in the event of a security breach involving a service provider with a shared, multitenant application. Mutlu said liability depends on how the customer negotiates its contract with the service provider.

In a keynote at the conference, Nils Puhlmann, co-founder of the Cloud Security Alliance, said cloud computing presents risks but also opportunities to security pros.

With the SaaS model of cloud computing, it's incumbent on the customer to ensure the provider has enough security functionality, he said. However, if a large customer, for example, asks a SaaS provider for a particular security control, the provider will undoubtedly implement the control, which will benefit the providers' other customers, Puhlmann said.

"We can actually raise the bar from a security perspective," he said.

Cloud vendors are often non-committal about security, but sometimes that might be because they are startups and don't understand it, he said, adding, "In most cases, you can educate them."

The nonprofit CSA formally launched in April with a goal of sharing best practices on cloud computing security. The group, which has more than 4,000 members, released a paper outlining more than a dozen areas it says must be addressed to better secure cloud computing environments. Puhlmann said CSA expects to release the second version of the document in October.

Tags: Security for Cloud Computing and Hosted Services,  Data Protection Solutions and Strategy,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security for Cloud Computing and Hosted Services Cloud-based services require stalwart business continuity plans Cloud security issues, targeted attacks to be hot-button topics at RSA Cloud Security Alliance releases top cloud computing security threats Cloud computing compliance: Exploring data security in the cloud Maintaining security after a cloud computing implementation Preparing the network for a cloud computing implementation Cloud Security Alliance releases updated guidance Cloud computing data security starts with internal strategy, experts say Secure cloud computing: a contradiction in terms? Barracuda acquires Purewire expanding Web security reach Data Protection Solutions and Strategy Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Creating and enforcing a clear-desk policy Safend expands data leakage prevention product to plug more gaps

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary