Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

Cloud computing providers: Clueless about security?

Cloud computing providers: Clueless about security?

  • Comments 6
  • Likes

To me, one of the benefits of moving to the Cloud is security – obviously besides availability and costs.

Recent incidents made me doubt:

  • Amazon not only having significant downtime but in the same time losing customer data.
  • Sony’s game network being significantly compromised.

This is definitely not to blame them but I was heavily surprised. And then, I found this study by the Ponemon Institute: Cloud computing providers: Clueless about security?

If we look at this, it gives us a really scary picture of the industry – especially if I know how much effort we (and other Cloud provider) out into securing our customer’s data. If you look at the management summary, they say:

  • The majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.
  • The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.
  • Buyer beware – on average providers of cloud computing technologies allocate10 percent or less of their operational resources to security and most do not have confidence that customers’ security requirements are being met.
  • Cloud providers in our study say the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications. In contrast, improved security or compliance with regulations is viewed as an unlikely reason for choosing cloud services.
  • The majority of cloud providers in our study admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.
  • Providers of private cloud resources appear to attach more importance and have a higher level of confidence in their organization’s ability to meet security objectives than providers of public and hybrid cloud solutions.
  • While security as a “true” service from the cloud is rarely offered to customers today, about one-third of the cloud providers in our study are considering such solutions as a new source of revenue sometime in the next two years.

What we should not think is, that the customer can just throw their data “over the wall” to the Cloud provider and then all the problems are solved. The customer still has obligations and as we state in our Cloud Computing Security Considerations paper:

Compliance and Risk Management: Organizations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.

We are currently working on a series of papers for Private Clouds, Office 365 as well as Azure to show what still is the customer’s responsibility and what can be transferred to the Cloud Provider.

If you consider the points in the study above, it means that you have to do the due diligence and looking into what the provider does to secure your data. Process transparency is key in this respect!

Roger

Comments
  • I've always said that cloud providers should be able to look at their service from a top-down level with 2 divisions being at a 50/50 split:  50% in service operations (ie. what it takes to run the service), and the other half in securing those services (and in turn, the data housed within it).

    Security should not be relegated to a small part of the operations - it should be as important as all of the other operations criteria added up.

    Cloud computing should be treated as an ideal online banking system, and you know that banks treat security seriously.  The way Sony is handling the PSN hack with the identity theft subscriptions (delays aside) is the same way that cloud providers should treat their services as standard fare.  Outside security auditing and certification should be mandatory for cloud providers.  Let me put it this way:  How much more trust would you have in a cloud provider where they used an external security firm that certifies it against a "hackability index", or even just used a fairly generic "Unhackable, tested Q2 2011" message on their site?  Would that satisfy hesitant subscribers that are hearing about all kinds of recent hacking attacks?  It works for the AV industry.  Why not here?

  • Well, we can debate about the right split and where "security" starts and where it ends. But as I said, the figures above are scary.

    However, your "hacability index" would be as flawed as teh AV test. It does not work there either. It is fairly simple to make ANY AV-solution look bad by taking the sample of viruses, this solution might most probably not detect. And then you take your preferred solution and this might detect it - wow, cool. Does not say a lot but how good a solution detects the sample.

    The same would eb true with your index. You define an attack profile and then might be abel to make a statement on how good the provider defends against a given set of attacks. But this does nto say anything about the security overall. Therefore I am convinced that we need a set of standardized processes etc. to be able to compare apples with apples

    Roger

  • I'm not sure I follow.  Antimalware comparative testing rates antimalware software against each other by testing them all by the same criteria.  It's not perfect, but it does give you an idea on how much better one solution is over another, and thus, which one is a smarter buy.  Many security solution puchasers will buy their products based on these ratings.  Now if you do a similar type of standardized hacking and intrusion tests against online service providers at regular intervals, you can get a similar outcome.  Obviously when a provider gets a bad grade, they'll want to try harder to raise the level of trust with customers.  This is akin to the grading system that restaurants around here obtain during a health inspection, and must post in their front window.  No restaurant owner wants a "yellow" or "red" sign, as they'll lose the trust of their patrons, but not posting the results will also lead to fines.  If they pass, they get a green sign.  This is a simplified system though.  I'd rather have some kind of percentage of attacks blocked in the case of online service providers.  The goal of this is not to say that one solution can block every type of attack, but of how serious each provider is at securing their systems.  As more and more testing authorities offer their various certifications, the solutions with the highest overall "score" would be the most secure.  Quantitative security does count for something, after all.

  • Hi Joe,

    sorry, that I did not answer earlier. The reason for my push-back is the following: I have seen in the AV-business, that there are a lot of organizations feeling qualified to run AV-tests. Sometimes Symantec is top, sometimes they fail completely. Sometimes we are top sometimes we fail. The reason for this is simple as it depends on the sample you are choosing - which is more or less relevant and more or less targeted to the outcome the testing org wants.

    Therefore we (and a lot of other companies) focus on a few like the West Coast Lab as they managed to develop a brand to run a good and relevant set of tests.

    The restaurant is similar: There has to be a mutually agreed body (or a well-established body in the industry) doing the red and yellow signs at your door - otherwise it will be a mess.

    Giving certifications for security in the cloud is still much harder from my point ov view. In my past I did penetration tests for comanpies. We almost always got in through one or the other channel. And we all know that it is basically always possible to break into a network if you are motivated enough. What is more interesting to me is to understand the processes of a provider. There ISO 27001 is a good starting point (and only a starting point) but there is more needed. E.g how is the software developed?

    I know that the Cloud Security Alliance is working on security standards for the Cloud. Maybe this is the right way to go depending on the content. Or Security Metrics.

    I think we will see but just focusing on a set of hacking attempts would be too techie to me as the processes are much more relevant (including incident response :-))

    Roger

  • Nice discussion regarding cloud computing providers. I was not aware of it before.. Keep it up.

  • thank you

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment