Cloud Risks and the Security Community

Security tends to dominate many discussions regarding the adoption of cloud computing. I outlined some of the risks that often come up in this context. Yet, which of the information security risks are actually unique to the cloud paradigm? Michael Cloppert raises this point in his insightful post Let’s Enable Cloud Computing.

Michael points out that most of the risks brought up in cloud discussions are applicable to IT in general and either have a mitigation strategy or have been accepted. He sums up the infosec community’s response to cloud security as “fear of the unknown,” concluding that:

“Classic InfoSec mindset is as a gateway; a veto-holding non-voting member of the IT community. The correct role, in my opinion, is as an active participant in technical innovation, architecture, and the engineering process, making sure requirements are met in a way that balances risk with cost – not eliminating risk at extraordinary cost.”

Well put.

I tie the fear of the unknown to the desire to wait for cloud technologies and management processes to mature, and that’s fine with me. For instance, during early VLAN days, not many admins knew the syntax and the implication of certain commands, and were more likely introduce a configuration error that introduced a vulnerability. Similarly, many organizations implementing virtualization in the context of cloud computing are new to the tools and can make configuration mistakes. Further, the products they’re using are relatively immature and haven’t been time-tested.

The risks related to the newness of cloud technologies will become less of an issue in about a year. Until then, most security professionals will apply extra scrutiny to proposals that involve processing sensitive or regulated data in shared cloud environments. I think that’s a good idea, as long as the discussions don’t immediately lead to a flat “no way” as soon as the term “cloud” is brought up.

The biggest concern I have over outsourced cloud is that the economics are pushing a lot of companies to outsource without carefully understanding and codifying their requirements. Further, they might not know how to define a proper outsourcing contract, how to manage the IT transition project or how to oversee the resulting environment. These are the areas where experienced information security professionals can add a lot of value.

Want to know more? Read my earlier notes on cloud security.

Lenny Zeltser

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He builds innovative endpoint defense solutions as VP of Products at Minerva. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more