PwC interview: Security lessons in the cloud
Gary Loveland, a principal in PricewaterhouseCooper's advisory practice and head of the firm's global security practice, discusses the latest in cloud security issues.
By Bob Violino
February 01, 2011 — CSO —
CSO recently interviewed Gary Loveland, a principal in PricewaterhouseCooper's advisory practice and head of the firm's global security practice, about the latest in cloud security issues. Loveland has functioned as a data security officer and has recommended and implemented security strategies in large-scale business environments.
CSO: What do you consider to be the most serious security threats related to cloud computing?
Loveland: One of the most serious security threats to cloud computing is the fact that it is still an emerging technology, and even savvy IT leaders may not fully understand how the multiple layers of technology that comprise the "cloud" work together. Leveraging use case scenarios about specific risks and threats can be very helpful, so that [executives] can see more clearly where they are at risk and better understand how they can mitigate it. For example, multi-tenancy environments pose a threat at several layers, such as the complexity of the rule sets that drive routing and access to domain resources. A misconfiguration can result in unauthorized access to privileged information.
CSO: Are there any emerging threats/vulnerabilities with the cloud that you find particularly disturbing?
Loveland: One of the most insidious emerging threats to the cloud is targeted malware. Cloud infrastructures with multi-tenancy environments provide large and lucrative targets for malware. Cyber criminals choose to attack targets where their efforts can yield the highest benefit, and large cloud providers are big targets with potential treasure troves of data than can be sold on the black market. Further, cloud providers are often connected to many corporate networks and, if penetrated, provide a good launching point for distributed attacks. Application vulnerability injection exploits are the most dominant path of attacks. While there is no "silver bullet" that can completely secure an application, risks can be mitigated by applying proper security controls at each layer of the architecture. Also, many cloud providers incorporate security tools -- such as static code analysis tools at the PaaS layer -- to remedy the gaps in a layered security approach.
CSO: In your opinion, is the public cloud safe enough to be used for business applications and information, or do service providers still have work to do to adequately protect data?
Loveland: Provider-side security control transparency is critical if providers want to accelerate the enterprise adoption of the various cloud services models. Having said that, the public cloud today may offer an acceptable risk/reward trade-off for some companies. The key things to consider are 1, security maturity controls within the organization and the cloud provider; 2, the specific applications and information in consideration; and 3, which providers are being considered.
In some cases, an organization's internal information security controls may be less mature than those at the provider. This may be the case for decentralized organizations or smaller to mid-size companies who have been more focused on growth than preservation of market position or revenue streams. An organization that wants to leverage the cloud would benefit from a thorough assessment of its internal security controls before going to the cloud.
Read more about cloud security in CSOonline's Cloud Security section.
Other stories by Bob Violino