10 Steps to Ensure Security of Cloud Computing InitiativesBy Partho, Gaea News Network
Tuesday, March 23, 2010
Large enterprise will not embrace the cloud until security significantly improves,
This was forecasted by John Gunn, general manager at Chicago-based Aladdin, a developer of digital security tools. Overtly, issues of data privacy, risk and compliance are key concerns for organizations’ planning to adopt cloud services. While security is a decisive factor in broad adoption of cloud computing, it can also be a merit, if managed competently. This calls for effective safeguard of data in the cloud. With big players - Amazon, Google, Sun Microsystems, Salesforce.com involved in cloud computing, it is here to stay and a majority of companies are anticipated to be using it in near future.
Cloud computing not only cites minimal environmental footprint, cost savings, and increased agility as the benefits. The cloud computing advocates believe that it has the potential for not only equalling the current security what we have today, but bettering it.
Once the issue security is addressed efficiently the opposition to cloud computing would evaporate instantly. After an extensive research we assorted 10 steps required to uphold the security of cloud computing initiatives.
One of common place security issue about cloud computing is that with many users log-ons are primitive. It is of high concern if barebone log-ons are in use. With outdated techniques hackers will have an easier way to learn employee log-ons, which might open the flood gates for data leakage.
This requires a simple intervention from the company. In order to check the log-on issues enterprises must permit data to migrate to the cloud that satisfies two conditions
- Strong authentication
- Hackers are kept at bay
Most of the mainstream cloud providers are hanging on this security issue.
It’s essential for you to know about your security profile, from versions of software, code updates, security practices, vulnerable profiles, intrusion attempts and secure design. List the users who are sharing your infrastructure and acquire information on aspects such as network intrusion logs and redirection attempts. Security by obscurity might be low effort but it can result in unknown exposures.
Security and availability of most cloud services depend on the security of the APIs customers use to manage and interact with those services.
To counter this Cloud service providers must design interfaces that will protect against malicious and accidental attempts to circumvent policy. It means ensuring strong authentication, encryption and access control.
Using a cloud infrastructure doesn’t mean pushing everything to the cloud.
The cloud is not about all or nothing. You need to place only the data you are comfortable with on the cloud. That is what most companies are doing. However, this is not always feasible, still we are in an era of experimentation with cloud systems.
Cloud systems are at high risk of data leaks. Such risks can be lowered by implementing a strong API access control and by encrypting data in transit. It is recommended to implement strong key generation, storage, management and destruction practices.
In case an account or service is hijacked, the attackers can create all sorts of trouble from eavesdropping on your activities and transactions to manipulating data to return falsified information. Sometimes they might redirect your clients to illegitimate sites.
Businesses must implement two steps to avoid such hijacking. Firstly, they should block the sharing of account credentials between users and services. Secondly, they need to use a strong two-factor authentication technique when possible.
IAAS (infrastructure-as-a-service) providers are vulnerable to abuse due to their lenient registration process. In most cases, it allows anyone with a valid credit card can register and immediately begin using the cloud services. This anonymity of registration can be abused by cyber-criminals hosting exploits and malware.
In order prevent such intrusions it would require Cloud service providers to impose stern initial registration and validation process. The service needs to be monitor and filter the public blacklists and customer network traffic.
The applications that perform well in the cloud usually have security designed into them from the beginning. According to Scott Morrison, chief architect and vice president of engineering at Layer 7 Technologies, the web apps have moved well to the cloud. It is important for you to take lessons from good service-oriented architecture and web architecture. To ensure security, you must test the application before moving it to the cloud.
Every Enterprise must figure out what applications can be moved to the cloud. It is important to do an inventory.
Cloud systems are vulnerable to the risk of malicious insiders, when there is lack of transparency in the processes and procedures.
This can be avoided if the Enterprises offer transparency in provider’s information security and management practices. They must enforce strict supply chain management and closely access the supplier. Specify the job requirements as part of legal contracts for governing the hiring process of those handling your data.
Most CIOs are resisting the could system, as they apprehend that the cloud based applications might skip IT and sell directly to the end user. This could simply mean bypassing the command and control of IT. Eventually this would imply unauthorized use of public cloud resources by employees who might expose sensitive internal data online at Web-based spreadsheets or into slide shows.
You need to directly attack this concern. Device some better ways for employees to upload sensitive data, since they are just looking for better ways to work.
Tags: Cloud computing security, service cloud