CLOUD SECURITY NIGHTMARE AT RSA

By D.E.Levine

At the recent RSA Conference 2009 the discussion and the fears expressed centered on cloud security.

Customer-driven groups acknowledge that defensive measures are far behind the known vulnerabilities of public cloud computing services. Vendors too acknowledge the lag.

Cisco CEO John Chambers called cloud security a "security nightmare" and said it "can't be handled in the traditional ways."

Throughout the conference attendees heard warnings about data loss and integrity, compliance, liability, reliability, authentication and information life-cycle management dangers regarding cloud computing services.

Experts agree that cloud security is clearly lagging and the dangers may outweigh the benefits and necessitate aggressive risk management.

Using such statements and fears as a jumping off point, many vendors introduced new security services specifically centered on cloud computing.

Cisco and Trend Micro both have security services that pull thread data from around the Internet and pushes it to users rather than depending on desktop protection which may be out of date .

McAfee is aiming at predictive security where there is cloud-based sharing of threat intelligence among different categories of security devices. The reasoning behind this approach is to locate and block malicious activity faster than by traditional means.

Savvis has already launched a Web application firewall service. The service is based on a choice of either virtual instances of its software residing between the Internet and the network, or its Imperva WAF appliances.

RSA plans to work with Microsoft and Cisco to develop a common language which will enable sharing intelligence about data-loss threats in the cloud and within corporate networks.

During the conference The Jericho Forum, a Europe-based group, joined forces with the Cloud Security Alliance (CSA), an United States based group to pressure the vendors to do more relating to cloud security.

Since both groups include large corporations, they plan to use their influence as major customers to pressure vendors for products that specifically address cloud threats and solutions.

Cloud computing adoption is already widespread. However, because of the lack of familiarity with the systems, as well as lack of planning, most companies do not have any type of plan or standard for checking to see that the cloud service they purchased provides the security they were promised.

De-emphasizing the risk has become very frequent. But risk comes in many forms and in addition to potential data loss there's a real possibility of not being in compliance with regulations. Since regulations differ from country to country, and may differ from state to state (in the U.S.) how can providers prove that data restricted to particular geographic locations is actually staying where it is supposed to be?

Savings produced by cloud computing are tempting and act as a catalyst to reliance on cloud computing services.

To maintain security, continuous monitoring of the vendor is necessary, and if third party verification can be used it will free up resources at the client. That brings up the subject of being able to outsource some of the due diligence necessary for cloud computing services.

Problems abound, but solutions are slow in coming forth.