SANTA CLARA, Calif.--Tackling cloud security involves educating developers on security, leveraging asset inventories and cloud provider due diligence.
Those were among the many cloud security best practices offered up during a panel discussion held here Wednesday at Cloud Expo 2011. The panel featured five members of the Cloud Network of girls (CloudNOW), a nonprofit consortium of leading women in cloud computing, who discussed numerous cloud computing security issues and challenges.
The ease and convenience of the cloud opens the door to increased security problems, said Kristin Lovejoy, vice chairman of knowledge technology risk for IBM. “It's unbelievably easy to spin up a brand new image, and the folks who're doing it aren't necessarily security experts, but [rather] developers,†she said. Within seven minutes, the picture may be compromised, she added.
 “The issue with cloud is the better we've made it for folks to innovate, the simpler we've made it to be compromised,†Lovejoy said.
The most typical attack Lovejoy's seen against cloud resources target SSH. “Developers will use weak passwords and associate them with the picture,†she said, noting that these kinds of attacks aren't unique to cloud environments.
“Those developing cloud applications should be conscious of that risk,†said Lovejoy, who sees developer education as a top cloud security challenge.
Migrating data to the cloud promises a possibility for corporations to make security improvements, said Jamie Dos Santos, president and CEO of Terremark Federal Group. “It's an awesome opportunity to scrub up your act,†she said.
Jill Tummler Singer, CIO for the National Reconnaissance Office (NRO), a Department of Defense agency, agreed.
“As you progress to a cloud environment, it is a good opportunity to head through an asset inventory,†she said. “You will find applications which have little utilization. You'll also find applications which have security gaps and holes. It'll give you the option to plug holes before moving to the cloud.â€
Singer and other panelists also stressed the significance of due diligence if you want to vet cloud provider security. For data privacy and compliance, customers want to know where their cloud provider and information is found, they said.
Lovejoy said cloud customers ought to discover what notification the provider will offer within the event of a breach, and whether it's conducting any monitoring. “Make sure what they're offering,†she advised.
“When a provider offers security services, please take them,†Lovejoy said. “There's this assumption that these are happening automatically.â€
Panelists also noted limitations of security technologies with regards to cloud computing. “The technologies we built haven't necessarily evolved so they're robust enough to control the cloud infrastructure,†Lovejoy said. For instance, most companies wouldn't have an agent-based tool in an effort to alert them to configuration drift of a picture of their cloud environment, she said.
“There's still no consistent security platform which might be applied†to cloud environments, Lovejoy said.
Encryption is necessary for data protection within the cloud, but we do not yet have encryption and key management that may stay alongside of the quantity of cloud data, Singer said. “Data privacy issues will drive that to scale,†she said.
Nessun commento:
Posta un commento
Comments links could be nofollow free