Is all the cloud concern justified? Today’s guest post comes from David Strom, and he argues that while it isn’t the cloud that’s insecure, it might be your own cloud implementation and basic IT policies that are at fault.
With cloud security, sometimes perception trumps reality. Interestingly, a report in May 2010 by Derek Brink of the Aberdeen Group shows that users of cloud-based Web security tools fared better than their on premises equivalents with fewer malware incidents.
Perhaps all the fuss is more about insecure Web applications than the cloud itself. Many of the top Web security exploits – like cross-site scripting and SQL injection – are things that have been around almost since the early days when Web servers were invented, and for some reason still vex many corporate installations. Going to the cloud doesn’t change that: If you have an insecure Web app, it will be just as insecure in the cloud or on a server in your data center.
As another data point, a second survey back last May found that IT staff admitted to having incomplete knowledge about which of their computing resources are deployed in the cloud, mainly because these decisions are made by end-users outside of any IT review. About half of all respondents to this study that CA and Ponemon Institute commissioned acknowledge that many cloud resources are not evaluated for any security implications prior to deployment within their organizations.
One way to be more secure is to bring your cloud inside your data center, so that these resources and assets are sitting behind your corporate firewall. This is called using a hybrid public/private cloud. The concept is catching on – Intel has announced its own Hybrid Cloud offering. They are in limited beta for providers to offer up a server designed for managed services providers to deploy on a customer premise. It includes a variety of options, including firewall, VOIP PBX, virtual storage and management tools. And Amazon’s Web Services have been around for many years and includes their CloudWatch service to manage hybrid clouds built with their tools.
Another option is to insist you use some kind of Virtual Private Network to connect whatever you have in the cloud with whatever you have in your data center. Verizon’s Terremark CaaS service, as an example, uses Cisco’s AnyConnect VPN service that is launched from Internet Explorer browsers. That is a good way to connect a single desktop to your cloud securely. Amazon’s Web Services offers its Virtual Private Cloud service, which can connect your entire cloud environment into your corporate network. You can bridge your Amazon and on-premises networks, assign private IP address ranges, and route traffic from your applications running in the cloud to your internal security devices before reaching the Internet.
Other cloud providers offer virtual firewalls from vendors such as Vyatta that connect to their twins inside a corporate data center, or work with traditional Cisco VPN gateways.
David Strom has many interests: as a former IT manager, a publication editor, a Web site creator, a podcaster and video producer, and a professional speaker. He writes several blogs including strominator.com, webinformant.tv, and mediablather.com. He lives in St. Louis and can be found on twitter @dstrom.