Most of the commentary written about companies moving to the Cloud  focuses on  the loss of control over company data as a consequence of giving up self-hosted infrastructure. There is usually an implication that this is bad. I believe that is not necessarily a given. How may stories do you read daily about data breaches unrelated to the cloud? It’s almost cliche now.

The critical question that must be asked is “Can cloud provider X protect your company’s  data better than you can?”.

In many cases, the answer is yes. Basically [ in most cases] they do security better than you do. They can afford to hire more security staff  and deploy a more robust security infrastructure. Their business depends on it. In a presentation I gave some time ago on cloud computing located here, I listed the following as additional reasons why:

• Security measures are cheaper when implemented on a large scale
• Better security provides competitive advantage to providers
• Increased standardization and industry collaboration
• Improved forensic capabilities and evidence gathering
• Improved resource scaling

Back of our aforementioned daily horror stories of data breaches. How many of those companies or organizations get closed down or do out of business due to their lax security practices? Not many. For cloud service providers, trust of their customers and potential customers is key to survival. Good security practices are not optional, they are a business imperative.

I’ve witness this first hand working for a financial industry application services provider. Long before “cloud” was a buzz word, there were Application Service Providers (ASPs) that basically performed Software as a Service ( SaaS).  There was a strong culture of security at all levels of the company, from the board on down.

Giving up some control means trusting your provider. This also requires doing your due diligence in selecting the right provier and having a proper service level agreement in place that will allow you access to verify that they are indeed adequately protecting your data.

I just read that my hosting company, GoDaddy, is on the auction block to be sold to the highest bidder. Naturally, I’m thinking of how this change of ownership could adversely affect the service of my web sites, blogs, and virtual servers.  One never really knows until the new owners take over. Maybe they clean house and things change for the better. Or they may look to cut costs and things could take a downward turn. Migrating to a another service would a pain but I could do it if needed.

This brings to mind the current state of the cloud computing market. The mad gold rush of cloud services providers continues. Everyone wants a piece of the action.  These companies offer a variety of hosting services for IT infrastructure, platforms and applications.  The lure of moving to the cloud is obvious. Let someone else do it better, cheaper, more reliably and worry about the  details. More organizations are taking advantage. Companies, large and small, are moving their data, applications, and systems to one or more of the legion of providers out there.  This means more dependence on these providers for accessing business critical resources.  Although there are some obvious leaders in the cloud market today ( Google, Amazon, Salesforce), there are also a many smaller boutique providers that compete mostly on price.

In coming years, I expect the market to settle. Some providers will flourish, others will go down in flames or be acquired by one of the larger shops. These changes could have real consequences to customers. What happens if your provider is using proprietary technology and goes out of business?  Migrating to a new provider might be difficult. Doing your due diligence before selecting a provider is very important. Verifying the financial stability of the company and developing a strong service level agreement are key requirements.  Your SLA must address uptime, performance and security. The ability to audit your provider is also very important.

Many small businesses would not exist without the cloud. Building, hosting, and managing an IT infrastructure can be cost prohibitive. Choosing the right provider, however, may be the difference between success and failure.

Looking ahead, the X-Force Research and Development team has identified some key trends to watch for in the future, including:

Cloud Computing — As an emerging technology, security concerns remain a hurdle for organizations looking to adopt cloud computing. As organizations transition to the cloud, IBM recommends that they start by examining the security requirements of the workloads they intend to host in the cloud, rather than starting with an examination of different potential service providers. Gaining a good understanding of the needs and requirements first will help organizations take a more strategic approach to adopting cloud services.

Virtualization – As organizations push workloads into virtual server infrastructures to take advantage of ever increasing CPU performance, questions have been raised about the wisdom of sharing workloads with different security requirements on the same physical hardware. X-Force’s vulnerability data shows that 35 percent of vulnerabilities impacting server class virtualization systems affect the hypervisor, which means that an attacker with control of one virtual system may be able to manipulate other systems on the same machine. This is a significant data point when architecting virtualization projects.

Read more: http://www.prnewswire.com/news-releases/ibm-x-force-report-reveals-global-security-threats-have-reached-record-levels-101460029.html

Many trumpet increased availability as a reason to move to the cloud but what happens when your cloud provider is no longer available?

Some companies are faced with this very question this week as storage provider, EMC  announced its plan to shut down its Atmos Online cloud storage service immediately, according to a posting on its website.

EMC launched Atmos Online in May 2009, calling it “Cloud Optimized Storage [with] capabilities that can scale effectively, coupled with security and management tools.”  This placed EMC in direct competition with some of its service provider partners who used EMC’s Atmos technology to provide cloud storage to its customers.

EMC has now  downgraded Atmos Online to a development platform and is offering no guarantee as to the availability of user data moving forward. EMC used its web posting to “strongly encourage [companies to] migrate any critical data or production workloads currently served via Atmos Online to one of our partners offering Atmos based services,”

The provider going out of business is one of the many risks companies have to address when considering moving their critical data into the cloud. In this case, companies now have to spend resources doing the necessary due diligence in selecting an alternative cloud storage provider.

According to Morris Cody, CIO at Washington D.C. based Information Security Services Firm, Secure Intervention, companies moving to the cloud better consider the following:

As more vendors dive into the cloud computing market, every possible claim regarding the supposed benefits of moving to a cloud-based service is being made.  I ran across an article titled ” Why Cloud-based Monitoring is more reliable and secure than Nagios. ” The auth0r, who represented a cloud-based network monitoring company, contended that the Software-as-a-Service (SaaS) model offered by his company was better for companies than Nagios and other open source products.

The question is not  Cloud Computing vs. Open Source.  In fact, there are open source SaaS providers like MindTouch out there.  If considering a product like Nagios, a better comparison would be open source vs. commercial.  In many cases, cost is the determining factor for companies to look  to open source technologies. Other considerations include flexibility and security.

The more relevant  comparison would be hosting and managing a network monitoring system on site vs. moving to a SaaS provider. For many organizations,  IT is considered overhead and not the primary function of the organization. Companies move to the cloud for most of the same reasons companies out-source.  Can someone else do it better for less?  Cost is ually the easier consideration. Companies have to grapple with the ‘better’. Does it mean more security, availability, capacity? Many cloud providers would say ‘yes’ to all and then some.  Organizations have to really consider and make that determination themselves. Make a real comparision between their options and not just follow the typical vendor hype.

If you are in cloud computing security (or part of an organization with infrastructure in a public cloud), this paper is a must read. As more organizations seek to realizes the benefits of the cloud, it’s important that we continue to investigate the risks as well. Granted this research only applies to virtual machines on a shared host. Cloud Computing service provider usually provide “private” cloud offerings with only one client’s virtual machines  per physical server.

Does the remote chance of your virtual server being attacked by another virtual server on the same host server justify the added cost of a private cloud deployment? That’s for each client to decide. Ensure you are doing your due diligence before making a decision one way or the other.

Abstract:

Amazon’s EC2, allow users to instantiate virtual machines (VMs) on demand and thus purchase precisely the capacity they require when they require it.In turn, the use of virtualization allows third-party cloud providers to maximize the utilization of their sunk capital costs by multiplexing many customer VMs across a shared physical infrastructure. However, in this paper, we show that this approach can also introduce new vulnerabilities.Using the Amazon EC2 service as a case study, we show that it is possible to map the internal cloud infrastructure, identify where a particular target VM is likely to reside, and instantiate new VMs until one is placed co-resident with the target. We explore how such placement can then be used to mount cross-VM side-channel attacks to extract information from a target VM on the same machine.

Download paper: http://people.csail.mit.edu/tromer/papers/cloudsec.pdf

As CSO of Qualys, Randy Barr is responsible for security, risk management and business continuity planning of the QualysGuard platform. In this video Randy talks about cloud computing security from an insider’s point of view. He illustrates what a security professional has to go through when building a security program for a cloud environment.

For more security-related material visit Help Net Security: http://www.net-security.org

Today is the last day of RSA Conference 2010. If you didn’t make it,  CSOonline.com has provided a recap of the highlights:

RSA COVERAGE

RSA 2010: Infosec Pros Get Raises Despite Recession An (ISC)2 survey suggests salary increases and hiring went up for many security practitioners in the last year despite the Great Recession. Ironically, the recession may be WHY it’s happening.

RSA 2010: Why 41 Percent of You Would Fail a PCI Audit Miscellaneous news bytes from the RSA 2010 press room: QSAs tell Ponemon Institute that 41 percent of companies would bomb their PCI security audit; hackers industrialize their sinister revolution and VeriSign opens a new compatibility lab.

RSA 2010: Can Adobe Stop the Hate? Security pros are unhappy with Adobe Systems over recent flaws and attacks. Adobe Security Chief Brad Arkin on what the company is doing about it.

RSA Conference 2010: 4 Survival TipsFor the newcomer, the RSA security conference can be overwhelming. Follow these four strategies to get the most from it.

Social Networking is Risky Business From Computerworld: A panel discusses the risks associated with social networking sites.

Chertoff: Tracking Attacks to the Source is Key for Cybersecurity From Computerworld: An exclusive interview with former DHS leader Michael Chertoff.

RSA PODCASTS

RSA 2010: Microsoft’s Plan for Cloud Security Audio: Microsoft VP Jim Jones explains his company’s approach for securing its services in the cloud.

RSA 2010: Verizon Releases Its Threat Report Recipe Verizon Business will share the research framework used for its Data Breach Investigations Reports so companies can create reports tailored to their specific environments.

SECURITY B-SIDES COVERAGE

Security B-Sides: Perfect Authentication Remains Elusive Everyone realizes passwords have their shortcomings. But alternatives like two-factor authentication are not as powerful as one would expect. The problem? As always — human behavior.

One Man’s Life on the Security D-List At Security B-Sides, infosec author Andrew Hay explains the four pillars for moving from the bottom of the IT security shop to a place of respect, and why getting to the A-list isn’t all it’s cracked up to be.

Security B-Sides: Rise of the ‘Anti-conference’ The RSA 2010 conference had some nearby competition. Here’s the story of Security B-Sides as the conference alternative.

Interesting excerpt from article in ITWorldCanada:

“Adi Shamir, a computer science professor at Israel’s Weizmann Institute of Science and also the “S” in the RSA encryption algorithm, warned against trusting cloud computing services for the same reason he suspects the confidentiality of transmissions over telecom networks and the Internet. He says the phone systems are secure, but that major crossroads in their networks are tapped by the NSA. “There’s a pipe out of the back of an office at AT&T in San Francisco to NSA,” he said.

Government access to assets entrusted to public cloud providers will be similar, he says. He suspects in some cases cloud providers will be companies influenced by government spy agencies, similar to the way Crypto AG security gear gave the NSA backdoor access to encrypted messages sent by foreign governments that had bought the gear. “Please don’t use Cloud AG,” he said.”

So not only do you have to worry about who else is in the cloud with your data and what controls the server provider has in place to secure your data, but whether the government not will have unfettered to all your organizations’ data without your knowledge. They did it with phone records, so…..