HP, Cloud Security Alliance Identify Top Cloud Security Risks

| 0 Comments | 0 TrackBacks
Top Six Threats Report Results Released at RSA Conference

How do you know who's doing what in the cloud you've built, bought or rented? The answer for too many early cloud adopters is: They don't.

That's one of the results caused by the six key security risks of cloud computing, being presented today in a report commissioned by HP and conducted by the Cloud Security Alliance. Three of these risks, categorized as "abuse and nefarious use," "malicious insider risks" and "account service and traffic hijacking" each relate to an enterprise's ability--or inability--to authenticate who is getting to the cloud and authorize and track what they are doing once there.

"The cloud is not occupied by your IT person--you really have no idea what's going on in there," said Chris Whitener, chief security strategist, HP, to Security Squared in a pre-release briefing. He suggested some IT departments are too quick to assume the cloud practices the same security measures they do. "Faith-based IT is a real problem." 

The other three risks are insecure application programming interfaces (APIs); shared technology vulnerabilities; and data loss and leakage.

Whitener noted that none of the six threats is unique to the cloud: disgruntled or thoughtless employees can misuse or lose data stored on USB drives, while bad programming is bad programming wherever it occurs. However, cloud architectures tend to amplify the impact of one user's actions, he said.

"If you can swipe one account, you have access to a lot more within the cloud," Whitener said.

Similarly, even if just a few companies use poor security connecting to or within the cloud, they could be increasing the risk profiles for other cloud users. "That's probably the most prevalent right now," he said.

From a converged perspective, extending identity management and strong authentication practices out to the cloud seems to be making a lot of sense. The challenge is, as Whitener said, many enterprises seem to think there's not much risk in just giving the cloud a try.

"If you're going to do something in the cloud, think about it," he said. Consider the risks, how the application and its data might be used by other departments or users, think through security, Whitener urged. "Don't just slap it up."

During RSA, Security Squared will be talking with a variety of identity management vendors, including CA Security Management, HP, IBM, Microsoft and Novell, about their view of extending identity infrastructure out to the cloud and where they are in supporting physical/logical identity convergence and related security policies that seem to us to be key building blocks in making the cloud safe and compliant.

# # #

New to Security Squared from RSA? Please be sure to sign up for our free newsletter (we don't share personal data) so you don't miss any of our unique perspective about where physical and logical security naturally intersect.

Top Six Threats Report Results Released at RSA Conference

How do you know who's doing what in the cloud you've built, bought or rented? The answer for too many early cloud adopters is: They don't.

That's one of the results caused by the six key security risks of cloud computing, being presented today in a report commissioned by HP and conducted by the Cloud Security Alliance. Three of these risks, categorized as "abuse and nefarious use," "malicious insider risks" and "account service and traffic hijacking" each relate to an enterprise's ability--or inability--to authenticate who is getting to the cloud and authorize and track what they are doing once there.

"The cloud is not occupied by your IT person--you really have no idea what's going on in there," said Chris Whitener, chief security strategist, HP, to Security Squared in a pre-release briefing. He suggested some IT departments are too quick to assume the cloud practices the same security measures they do. "Faith-based IT is a real problem." 

The other three risks are insecure application programming interfaces (APIs); shared technology vulnerabilities; and data loss and leakage.

Whitener noted that none of the six threats is unique to the cloud: disgruntled or thoughtless employees can misuse or lose data stored on USB drives, while bad programming is bad programming wherever it occurs. However, cloud architectures tend to amplify the impact of one user's actions, he said.

"If you can swipe one account, you have access to a lot more within the cloud," Whitener said.

Similarly, even if just a few companies use poor security connecting to or within the cloud, they could be increasing the risk profiles for other cloud users. "That's probably the most prevalent right now," he said.

From a converged perspective, extending identity management and strong authentication practices out to the cloud seems to be making a lot of sense. The challenge is, as Whitener said, many enterprises seem to think there's not much risk in just giving the cloud a try.

"If you're going to do something in the cloud, think about it," he said. Consider the risks, how the application and its data might be used by other departments or users, think through security, Whitener urged. "Don't just slap it up."

During RSA, Security Squared will be talking with a variety of identity management vendors, including CA Security Management, HP, IBM, Microsoft and Novell, about their view of extending identity infrastructure out to the cloud and where they are in supporting physical/logical identity convergence and related security policies that seem to us to be key building blocks in making the cloud safe and compliant.

# # #

New to Security Squared from RSA? Please be sure to sign up for our free newsletter (we don't share personal data) so you don't miss any of our unique perspective about where physical and logical security naturally intersect.

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/180

Leave a comment