Thursday, 18 February 2010

Cloud Security

Cloud computing is one of the most significant buzzwords in technology today. It provides organisations with access to applications and infrastructure, as and when it is needed, and without having to make upfront investments in software, or indeed the hardware to run it on. It provides the benefits of paying a predictable monthly charge (Opex) and makes access to technology services infinitely easier for organisations that may otherwise have struggled with the implementation, ongoing management and scalability problems, let alone the capital investment (Capex).

There is however a but; many Cloud-based services available today, can often lack the appropriate level and type of security protection required to prevent hackers accessing sensitive data stored, accessed, and transported through the Cloud. Even organisations that have shown a reluctance to take up Cloud computing may actually be using services based in the Cloud without realising it. For example, applications such as Salesforce and Google apps are Cloud-based, as are social networking services, including Twitter and LinkedIn.

Industry experts express concern that businesses joining the Cloud computing bandwagon to benefit from its impressive repertoire of benefits, may not be making an appropriate and necessary review of its impact on existing security policies. As one who focuses on security and was once and ethical hacker, I am concerned that moves to a virtual world, using Cloud-based technologies could end up being a disaster, unless businesses act fast. My concern centres on the number of vendors and providers who frankly are only paying lip service to security and are more caught up in the hype than the reality. Every service or platform I look at is still only secured by a traditional password, and that is just not sufficient to keep hackers at bay, and to guarantee confidentiality or integrity; consider the recent attacks on Twitter…

Because Cloud computing represents a revolution in IT management, it is a paradigm shift and this makes it even more critical that businesses review their security policies again. With more than 223 million records containing sensitive material compromised since 2005, according to Data Breach DB, a clearing house for data breach information, and the more recent attacks on Twitter in July 2009, businesses must make Cloud security a new priority.

The easiest way to conduct fraud online is through stealing a valid user name and password using tools like key loggers or old fashioned social engineering. You wouldn’t even know it had happened. Organisations need to review security policies and ensure that they are adequately protected. On average it takes less then a minute to gain someone’s username and password. There are many technology tools available today, as well as complementary services to boost security. We need to remember that business is about people, processes and technology and it is essential that all users are aware of the dangers and how to mitigate them. I strongly recommend that businesses take some simple and immediate steps to counter the threat of identity theft and hacking, and go through a process to ensure its data, its business, and its future is as secure in the Cloud as it should be in the Enterprise.

My recommendations for improving cloud security

1. Teach all end users safe internet skills
2. Perform a detailed vulnerability assessment
3. Ensure anti-virus protection is current and kept up to date on all devices
4. Use a firewall to protect every point in the organisation
5. Use VPN technology for secure connections and encryption for all information on portable devices
6. Deploy strong authentication for remote users, requiring a strong password, PIN, and separate token


Copyright 2009 Jason Hart. Powered by Blogger Blogger Templates create by Deluxe Templates. WP by Masterplan