Back to article
5 Overlooked Threats to Cloud ComputingBy Jeff Vance
February 28, 2011
A lack of understanding about security risks is one of the key factors holding back cloud computing.
Report after report after report harps on security as the main speed bump slowing the pace of cloud adoption. But what tends to be overlooked, even by cloud advocates, is that overall security threats are changing as organizations move from physical environments to virtual ones and on to cloud-based ones.
Viruses, malware and phishing are still concerns, but issues like virtual-machine-launched attacks, multi-tenancy risks and hypervisor vulnerabilities will challenge even the most up-to-date security administrator. Here are 5 overlooked threats that could put your cloud computing efforts at risk.
1. DIY Security.The days of security through obscurity are over. In the past, if you were an anonymous SMB, the threats you worried about were the typical consumer ones: viruses, phishing and, say, Nigerian 419 scams. Hackers didnt have enough to gain to focus their energy on penetrating your network, and you didnt have to worry about things like DDoS attacks those were a service provider problem.
Remember the old New Yorker cartoon: on the Internet no one knows youre a dog? Well, in the cloud, no one knows youre an SMB.
Being a small site no longer protects you, said Marisa S. Viveros, VP of IBM Security Services. Threats come from everywhere. Being in the U.S. doesnt mean youll only be exposed to U.S.-based attacks. You and everyone are threatened from attackers from everywhere, China, Russia, Somalia.
To a degree, thats been the case for a while, but even targeted attacks are global now, and if you share an infrastructure with a higher-profile organization, you may also be seen as the beachhead that attackers can use to go after your bigger neighbors.
In other words, the next time China or Russia hacks a major cloud provider, you may end up as collateral damage. What this all adds up to is that in the cloud, DIY security no longer cuts it. Also, having an overworked general IT person coordinating your security efforts is a terrible idea.
As more and more companies move to cloud-based infrastructure, only the biggest companies with the deepest pockets will be able to handle security on their own. Everyone else will need to start thinking of security as a service, and, perhaps, eventually even a utility.
2. Private clouds that arent.One way that security-wary companies get their feet wet in the cloud is by adopting private clouds. Its not uncommon for enterprises to deploy private clouds to try to have it both ways. They get the cost and efficiency benefits of the cloud but avoid the perceived security risks of public cloud projects.
Plenty of private clouds, though, arent all that private. Many private cloud infrastructures are actually hosted by third parties, which still leaves them open to concerns of privileged insider access from the provider and a lack of transparency to security practices and risks, said Geoff Webb, Director of Product Marketing for CREDANT Technologies, a data protection vendor.
Much of what you read about cloud security still treats it in outdated ways. At the recent RSA conference, I cant tell you how many times people told me that the key to cloud security was to nail down solid SLAs that cover security in detail. If you delineate responsibilities and hold service providers accountable, youre good to go.
There is some truth to that, but simply trusting a vendor to live up to SLAs is a suckers game. You not the service provider will be the one who gets blamed by your board or your customers when sensitive IP is stolen or customer records are exposed.
A service provider touting its security standards may not have paid very close attention to security. This is high-tech, after all, where security is almost always an afterthought.
3. Multi-tenancy risks in private and hybrid clouds.Many companies, when building out their private or hybrid clouds, are hitting walls. The easy stuff has been virtualized, things like test development and file printing.
A lot of companies have about 30 percent of their infrastructure virtualized. Theyd like to get to 60-70 percent, but the low-hanging fruit has all been picked. Theyre trying to hit mission-critical and compliance workloads, but thats where security becomes a serious roadblock, said Eric Chiu, President of virtualization and cloud security company HyTrust.
Multi-tenancy isnt strictly a public cloud issue. Different business units often with different security practices may occupy the same infrastructure in private and hybrid clouds.