Awareness
5 Mistakes a Security Vendor Made in the Cloud
Here's the cautionary tale of how one security vendor went astray in the computing cloud, and what customers can learn from it. (Part 3 in a series)
By Bill Brenner, Senior Editor
September 30, 2009 — CSO —
When security experts sound the alarm about enterprises embracing cloud computing with little understanding of the risks, it's usually a case where the expert -- working for a vendor -- is making a pitch for their employer's products. That's all well and good, but here's the problem -- some of them have trouble keeping their own side of the cloud clean.
That, according to Nils Puhlmann, co-founder of the Cloud Security Alliance and previously CISO for such entities as Electronic Arts and Robert Half International.Puhlmann recently contacted CSOonline about one example where a sizable security vendor made multiple mistakes in the cloud. He spoke on the condition that the vendor's name is kept anonymous, as he is working with the company to help address its problems.
"This major security vendor basically did everything you can possibly do wrong when rolling out the latest version of its SaaS (software as a service) product, leading to users uninstalling their solution in large numbers," he said.
In listing the following five mistakes (most of which are rooted in a lack of communication with customers), his goal is to show other security vendors how NOT to do things, and to arm IT security practitioners with a list of questions they should ask of those they pay to give them secure cloud-based services.
MORE ON CLOUD SECURITY:
Defining Cloud Security: Six Perspectives
Cloud Security: Danger (and Opportunity) Ahead
Cloud Security: Time to Smoke Another One?
Why Security Pros Have Their Heads in the Cloud (podcast)
Forrester: A Close Look At Cloud Computing Security Issues
Winkler: The Real Problems With Cloud Computing
MISTAKE 1: Updating the SaaS product without telling customers or letting them opt out
Customers using a particular version of the SaaS product were caught unaware when the vendor decided to roll out a new version through the cloud. It was done in a way where, at the moment of the upgrade, any new endpoint that was added to be managed automatically got the new version. Customers were not asked or notified, and were forced into a mixed-version environment as a result. "In the past, I as a customer was able to choose if I wanted to do this, and I could choose the timing," he said. "Here, there was no control, no timing or notification."
MISTAKE 2: Not offering a rollback to the last prior version
The problem with the first mistake is that customers are now faced with compatibility issues in their environment that can cause a freeze-up of essential IT functions, including those related to security. The natural course for the IT security practitioner is to uninstall the new but incompatible version, dust off the CD with the last version of the product, and re-install the version that has proven itself stable in that environment. But in the cloud it's not always so simple, especially in this case, where the vendor offered no rollback option. "You get forced into a mixed environment and have no way to react," Puhlmann said.
software as a service
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
