5 Dangerous Cloud Computing Security Misconceptions

Virtualization and cloud computing promise to optimize IT infrastructures and drive down computing costs. However, any new technology ushers in new risks.

Back in the all-wired age, no one worried about wardriving and password sniffing. Now, protecting against those threats is standard.

The risks and security implications of moving your sensitive data assets to the cloud are not yet fully understood. One thing that’s clear, though, is that the cost advantages of moving to the cloud means that it’s a matter of when, not if.

Companies eschewing the cloud will quickly be at a disadvantage against their cloud-embracing rivals. IT’s security toolbox will be much different in five years than it is today.

Cloud security may well have its WEP moment, but it’ll eventually evolve. How it will change, though, is much debated, and the signal-to-noise ratio when it comes to cloud security advice is not high.

Many look at cloud security through a corporate LAN lens. Others believe that any data outside the corporate firewall is basically lost. Still others believe, naively, that the cloud providers will take care of these problems for them. Some misconceptions are more problematic than others.

Here are five dangerous cloud security misconceptions that could compromise overall security.

1. Data in the cloud is less secure than behind a corporate firewall.

One of the biggest roadblocks to cloud adoption is security. Yet misconceptions about cloud security may actually be undermining security.

As IT gets squeezed by corporate budget cuts and an ever greater need to stay on top of patches, upgrades and mushrooming vulnerabilities, the idea that you can handle security better than a large cloud provider with deep pockets and a dedicated security staff is misguided.

“Remember, when a corporation loses sensitive data, it’s usually an inside job,” said Brian Curry, VP of Products and Business Strategy at YouSendIt, a provider of secure digital content delivery services. “Some insider will have access to systems they shouldn’t, and data is at risk.” Clearly, reducing or eliminating insider attacks is a huge security boon.

In many corporations, once you are credentialed, you can go pretty much anywhere you want. And how many enterprises have critical severs in unlocked rooms – or even closets – that pretty much anyone can enter? Ethernet ports are everywhere. Being inside the building essentially means that you are deep inside the network.

Compare that to a cloud vendor. They have multiple data centers – backup and disaster recovery should be a given with the cloud – and anyone entering must pass through layers of physical and often biometric security.

Moreover, reputable cloud vendors must comply with numerous regulations, are audited frequently and their business depends on delivering secure access to data. Major breaches equate with major customer defections.

Finally, in an enterprise setting, security is often the last thing IT worries about. Instead they spend the bulk of their time on mundane, cumbersome tasks like patches and password resets. In these days of doing more with less, there may not even be a dedicated security professional on staff.

If a cloud provider’s security is as lax as it is at many enterprises, they won’t be in business very long.

2. All clouds are created equal.

Even though cloud providers should deliver better security, that doesn’t mean all of them will.

People speak and think of the cloud generically. A cloud is a cloud is a cloud. Nothing could be further from the truth.

“SLAs, security, reliability and uptime can all vary greatly from provider to provider,” said Rami Habal, Director of Product Marketing for Proofpoint, a SaaS security and compliance provider.

Habal believes it’s important to have SLAs that go beyond basic uptime and reliability. SLAs should cover the applications themselves, and even what the vendor will do in the event of a breach or a DDoS attack.

Cloud vendors should be scrutinized just as closely as traditional hardware and software vendors. Conduct pilots, pick apart their security policies, negotiate favorable SLAs and seek out third-party validation of their service.

3. A secure virtual machine on a public cloud is equivalent to a secure physical machine inside the enterprise.

While many cloud security misconceptions emanate from cloud skeptics, the early adopters have their own misconceptions. A big one is that virtual machines are every bit as secure as physical ones.

“There are multitudes of attacks on the virtual machines that can be launched from another virtual machine running on the same cloud hardware. So, securing the data by security communication alone, such as by https or VPN, will still be insecure,” said Pravin Kothari, founder and CEO of CipherCloud.