Pace of security breaches expected to increase as cloud rolls out

19 Oct 2011

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Dell’s senior VP of engineering and technology for EMEA Don Smith warned today that as cloud computing adoption picks up pace we’re likely to see an increase in security breaches.

Smith encouraged businesses to fully consider the implications of moving their IT systems outside the organisation in order to prevent security breaches.

“As cloud computing adoption picks up pace, promising compelling cost savings and ease of management, it will quickly move from hype to large-scale deployment.

Therefore, we’re likely to see an increase in security breaches, unless businesses fully consider the implications of moving their IT systems outside the organisation. While security worries have put some businesses off migrating their data, systems and infrastructure to the cloud, many other businesses have started to use cloud services without thinking first about the safety of their critical assets.

“It is important to remember that the risks associated with cloud services are the same risks that we’ve collectively been dealing with for many years. The only difference now is the context in which they exist.

“One of the biggest threats with cloud computing is that data is taken outside the traditional parameters of the ‘office’, and a security breach could easily happen without you knowing. There can also be security complacency on behalf of the businesses as they often assume that, as everything is behind a firewall, it must be secure. Unfortunately, even though vendors often offer ‘cloud management solutions’ these usually don’t provide adequate protection."

Smith concluded by saying: “The most common type of cloud service is SaaS (software-as-a-service), but organisations are also adopting IaaS (infrastructure-as-a-service) and making forays into PaaS (platform-as-a-service) offerings. Whatever type of outsourced service is used, a formal risk assessment should be conducted to give full visibility of your information assets and vulnerabilities. This ensures you know what you’re being exposed to, and where the high risk areas sit. Ultimately, what’s required is a layered and balanced approach to security.”

Questions that need to be asked about migrating to the cloud

With responsibility for operations being transferred outside the organisation, companies should be careful not to assume that responsibility for security is also being transferred. When looking at moving systems to the cloud, it is vital for a business to ask their supplier the right questions before purchasing services, and not after.

According to Dell’s SecureWorks team, cloud computing services are now so compelling that an organisation may actually find that some of their employees are already using a service like Amazon’s EC2 to run a project, without the IT or security manager knowing. Ensuring you have full visibility of your systems, wherever they are, is vital to ensure there is not a major vulnerability you may not even know exists.

As cloud computing becomes more commonplace and is coupled with more varied forms of remote working, it will become increasingly difficult to protect assets across virtual borders.

The SecureWorks team recommends firms ask the following questions:

1.      Is my data segregated from other customers?

2.     Who has access to my data?

3.     How is that access controlled? Can I leverage the use of two-factor authentication to control access?

4.     Can I easily migrate data back in-house or to another service provider?

5.     Can I audit data access effectively?

6.     How is data backed up and what disaster recovery arrangements are in place? For SaaS, in particular, consideration should be given to what mechanisms are available for user life cycle management and provisioning.

7.     What does this mean for my compliance status?

8.     What security controls are in place?

9.     What about super users – how is privileged access controlled?

10. How are breaches detected?

Editor John Kennedy is an award-winning technology journalist.

editorial@siliconrepublic.com