Joe Raby

6 May 2011 7:39 PM

I've always said that cloud providers should be able to look at their service from a top-down level with 2 divisions being at a 50/50 split: 50% in service operations (ie. what it takes to run the service), and the other half in securing those services (and in turn, the data housed within it).

Security should not be relegated to a small part of the operations - it should be as important as all of the other operations criteria added up.

Cloud computing should be treated as an ideal online banking system, and you know that banks treat security seriously. The way Sony is handling the PSN hack with the identity theft subscriptions (delays aside) is the same way that cloud providers should treat their services as standard fare. Outside security auditing and certification should be mandatory for cloud providers. Let me put it this way: How much more trust would you have in a cloud provider where they used an external security firm that certifies it against a "hackability index", or even just used a fairly generic "Unhackable, tested Q2 2011" message on their site? Would that satisfy hesitant subscribers that are hearing about all kinds of recent hacking attacks? It works for the AV industry. Why not here?

rhalbheer

6 May 2011 8:49 PM

Well, we can debate about the right split and where "security" starts and where it ends. But as I said, the figures above are scary.

However, your "hacability index" would be as flawed as teh AV test. It does not work there either. It is fairly simple to make ANY AV-solution look bad by taking the sample of viruses, this solution might most probably not detect. And then you take your preferred solution and this might detect it - wow, cool. Does not say a lot but how good a solution detects the sample.

The same would eb true with your index. You define an attack profile and then might be abel to make a statement on how good the provider defends against a given set of attacks. But this does nto say anything about the security overall. Therefore I am convinced that we need a set of standardized processes etc. to be able to compare apples with apples

Roger

Joe Raby

8 May 2011 6:03 PM

I'm not sure I follow. Antimalware comparative testing rates antimalware software against each other by testing them all by the same criteria. It's not perfect, but it does give you an idea on how much better one solution is over another, and thus, which one is a smarter buy. Many security solution puchasers will buy their products based on these ratings. Now if you do a similar type of standardized hacking and intrusion tests against online service providers at regular intervals, you can get a similar outcome. Obviously when a provider gets a bad grade, they'll want to try harder to raise the level of trust with customers. This is akin to the grading system that restaurants around here obtain during a health inspection, and must post in their front window. No restaurant owner wants a "yellow" or "red" sign, as they'll lose the trust of their patrons, but not posting the results will also lead to fines. If they pass, they get a green sign. This is a simplified system though. I'd rather have some kind of percentage of attacks blocked in the case of online service providers. The goal of this is not to say that one solution can block every type of attack, but of how serious each provider is at securing their systems. As more and more testing authorities offer their various certifications, the solutions with the highest overall "score" would be the most secure. Quantitative security does count for something, after all.

rhalbheer

10 May 2011 11:15 AM

Hi Joe,

sorry, that I did not answer earlier. The reason for my push-back is the following: I have seen in the AV-business, that there are a lot of organizations feeling qualified to run AV-tests. Sometimes Symantec is top, sometimes they fail completely. Sometimes we are top sometimes we fail. The reason for this is simple as it depends on the sample you are choosing - which is more or less relevant and more or less targeted to the outcome the testing org wants.

Therefore we (and a lot of other companies) focus on a few like the West Coast Lab as they managed to develop a brand to run a good and relevant set of tests.

The restaurant is similar: There has to be a mutually agreed body (or a well-established body in the industry) doing the red and yellow signs at your door - otherwise it will be a mess.

Giving certifications for security in the cloud is still much harder from my point ov view. In my past I did penetration tests for comanpies. We almost always got in through one or the other channel. And we all know that it is basically always possible to break into a network if you are motivated enough. What is more interesting to me is to understand the processes of a provider. There ISO 27001 is a good starting point (and only a starting point) but there is more needed. E.g how is the software developed?

I know that the Cloud Security Alliance is working on security standards for the Cloud. Maybe this is the right way to go depending on the content. Or Security Metrics.

I think we will see but just focusing on a set of hacking attempts would be too techie to me as the processes are much more relevant (including incident response :-))

Roger

Enterprise SIP Trunking Canada

9 May 2012 11:35 AM

Nice discussion regarding cloud computing providers. I was not aware of it before.. Keep it up.

hassan sayed issa20014

28 Jul 2014 11:19 PM

thank you