7 deadly sins of cloud computing
Increasing your use of cloud computing? Great! Making these common security mistakes? Not great!
By David Geer
January 02, 2013 — CSO —
Automation, cost savings, and data redundancy—no wonder cloud adoption is tempting. The CISO can rest easy knowing there is no vice in moving to the cloud to reap these rewards. What may keep her up at night is not knowing how many missteps the enterprise is making in the process.
Here CISOs and security buffs round up seven security sins that can undermine cloud computing's benefits.
Failing to check IDs at the door
The only secure way to log in to the cloud is through enterprise identity management systems. Though many cloud services permit just about anyone in the organization to sign themselves up, create their own IDs and passwords without registering these with the enterprise, and then connect these credentials to personal email addresses, that does not mean that IT or the business should let it happen.
"While it is easy to start out this way, failing to integrate with enterprise IMS will leave the organization open to leaks, policy violations, and ultimately the inability to secure the cloud," says John Thielens, Chief Security Office of Axway.
[Also read 5 (more) key cloud security issues]
In a similar way, some companies that are deploying IaaS do so rather quickly—using self-service capabilities—to address complaints that their IT departments are slow and unresponsive. But this approach bypasses governance, allowing unguarded access to cloud servers.
"People connect to data they should never see, such as legacy project data on VMs that were never shut down," explains Stanton Jones, Emerging Technology Analyst and Cloud Expert at Information Services Group.
And what if it is a customer-facing cloud service? What is the access model? "How will you integrate it to allow user sign on that is similar to, say, the single sign on model you have internally," asks Julie Talbot-Hubbard, Chief Information Security Officer for The Ohio State University.
Letting demands for (secure) APIs fall on deaf ears.
When a company moves to the cloud, users will require APIs (application programming interfaces) so they can uniquely leverage the company's services. The cloud brings internal services and capabilities closer to the customers who will want to access them. API-based integration enables that.
Mobile developers use APIs to build valuable ecosystems on top of companies' internal pieces and business information. "If the developers monetize that, those revenues can cut into your value chain and you should have a share of the proceeds via a developer portal for APIs," explains Thielens.Having said that, API keys—which developers use to access the API services —have been compared to passwords. Know what happens if you lose your passwords? CISOs using cloud service APIs need a solid security plan for protecting API keys.
Not keeping sufficient independence from cloud providers.
As cloud services evolve and new vendors and approaches pop up, the cloud's old guard such as Amazon and Facebook are turning best practices into standards and products available on a smaller scale, according to Thielens.
"This is revolutionizing approaches to the cloud all the way to on-premise infrastructure," says Thielens.
With everything still changing and evolving, the best cloud approach today may not be the best choice down the road. "Applications can even reach the point where it is economically more sound to move them back out of the cloud and into the enterprise again," says Thielens. New standards efforts such as TOSCA and CAMP (both from OASIS, the Organization for the Advancement of Structured Information Standards) are offering tools so that companies can move to cloud like architectures without inescapably locking themselves in with a given cloud provider.