The risk to systems owned by one business unit with good security practices may be undermined by the poor security practices of a sister business unit. Such things are extremely difficult to measure and account for, especially in large, multinational organizations, Webb said.
Another issue is application tiers. In poorly designed private clouds, non-mission critical-apps often share the same resources as mission-critical ones. How do most companies separate those? asked Chiu.
They air-gap it, so the biggest threat for most virtualization and private cloud environments is misconfiguration, he said. Eighty percent of downtime is caused by inappropriate administrative changes.
Many people are doing nothing at all to secure virtualized infrastructures. The hypervisor is essentially a network. You have whole network running inside these machines, yet most people have no idea what sort of traffic is in there, Anthony said.
Buffer overflow attacks have been successful against hypervisors, and hypervisors are popping up in all sorts of devices that people wouldnt think of as having them, including Xbox 360s.
Even when organizations believe that they have a handle on the traffic within their cloud environments, they may be fooling themselves, especially if they are relying on legacy security tools. Everyone knows that they need an IPS solution to protect their cloud deployments, but they have no idea what the actual scale of the problem is.
Moreover, many of these appliances have packet inspection settings that by default fail on. In other words, if the device is overwhelmed with, say, video traffic, the majority of traffic passes through as safe and only small samples are inspected for threats.
The IPS will typically trigger a low-level alarm or record this spike in a log, but how many IT units have time to look at logs unless they know they have a problem? Organizations are also slow to realize that they need an array of different protection in virtualized cloud environments than they had in traditional on-premise settings. Or they do realize this and are choosing to ignore it due to budget and time constraints.
The IBM security executives I talked to at RSA ticked off a number of security solutions they would recommend to better protect cloud environments, including IPS solutions with 20 GBps capabilities, DLP and application security. Much of what their advice boiled down to (see item #1 again) is that security is becoming too big of a problem to tackle for most organizations on their own.
A smaller number of administrators are now likely to have access to a greater amount of hosted data and systems than ever before, as the cloud systems are managed by a cloud infrastructure management team. This can leave sensitive data open to access by individuals who previously did not have access to it, eroding separation of duties and practices and raising the risk of insider attacks, Webb said. The ability to walk off with key assets is also simply much easier to do, rights or not, in a virtualized environment than a physical one.
When the banking restrictions came out, people were worried about someone walking into the physical data center and grabbing a rack of tapes and walking off with it, Chiu said. Those fears spurred the much higher frequency of encrypting of data at rest.
How do you steal those same assets in a virtual environment, where data encryption is often still an oversight?
If you have administrative credentials, you pick the virtual machine you want, right click and copy it, Chiu said. Its not that hard to spot someone walking out of the building with a box of tapes. A virtual machine on a USB drive isnt going to raise a single eyebrow.
ALSO SEE: 5 Cloud Computing Predictions for 2011