Cloud Security: Not all Clouds are Created Equal
July 9, 2012
By Vinny Sakore, Senior Consultant

This was my initial response to a question posed by the panel moderator, Brad Gow at the NetDiligence Cyber Risk and Privacy Forum a few weeks back.  Our panel was focused on emerging technologies, and was comprised of myself, Tom Kellerman (Trend Micro), Mike Viscuso (Carbon Black), Brad Gow (Endurance Insurance), and Mark Teolis (DoS Arrest). 

My initial response points to the disparate landscape of cloud computing.  Cloud providers need to be evaluated on an individual basis. 

In a joint response, Tom Kellerman and I focused on three “criteria” when investigating or evaluating cloud providers. These are not in priority of importance or the comprehensive list of evaluation criteria for cloud security.  Yet, they are three points to keep in mind when considering cloud security …

1.    Dedicated Security Teams
Layered security and defense in depth are important approaches to security that should be implemented by cloud providers. A dedicated team focused on identifying, assessing and responding to security events should be a part of cloud providers’ defense strategy.   These teams should be experienced in and dedicated to quickly and successfully responding to distributed denial of service (DDoS) and other attacks used by cyber criminals. 

2.    Data Classification & Encryption
Cloud providers should have a mechanism to classify types of information along with inline processes to protect data based on the classifications.  Many cloud providers will tag data as “highly sensitive” or “restricted” which triggers automatic protection of the data through encryption and other means.

The use of encryption is widely recognized as providing strong security for enterprise data.  Encryption strategies, however, are not enough and management of keys should also be examined. 

3.    Competing Above the Bar
Compliance doesn’t equate to security but is often the “de facto” standard or “bar” that cloud service providers are expected to meet.  The relevant question isn’t whether a Cloud provider has attained a compliance certificate, but what is the provider doing above and beyond security compliance.  This isn’t a slight to any compliance objective or standard, merely a recognition that compliance is only one section of a layered security, defense in depth approach to security. 

Questions to ask; Do they have their own security compliance program that goes beyond the minimum requirements of industry standards?  Are the security devices and applications independently tested and certified?

The jury is still out on whether cloud computing is more or less secure than the traditional enterprise environment.   To properly answer the question each cloud provider needs to be evaluated individually against the existing infrastructure. 

Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.