Cloud Security Challenges Include Audit Trails, Preventing Attacks - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Infrastructure as a Service
07:03 PM
Connect Directly

Cloud Security Challenges Include Audit Trails, Preventing Attacks

How to build an effective Security Operations Center to cope with new threats in the era of virtualization and cloud computing will be a major topic at the upcoming Connections Conference in Las Vegas in April.

Top 10 Cloud Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Cloud Stories Of 2010
The brief called for a Security Operations Center with six core attributes, such as knowing the IT infrastructure well and understanding where the crown jewels resided and mapping possible avenues of attack against them. The center would be able to conceive in advance the protections needed against those attacks, and could plot the swift action needed if those defenses are breached.

In this view, virtualization is not a vulnerability, but one of the lines of defense in depth. A virtual machine can isolate a database or other target and its hypervisor can be closely monitored for any sign of intrusion. If such a sign is detected, the virtual machine can be easily shut off from other resources or even shut down, with a clean copy restarted.

The paper, called Mobilizing Intelligent Security Operations for Advanced Persistent Threats, (pdf) illustrates how security professionals, with great effort, can get the upper hand in the arms race between defenders versus attackers.

Puhlmann said a cloud environment can be made as secure as a data center and, when it comes to PCI transactions, "I don't see why they shouldn't become a commonplace" in the cloud. But the PCI standard will have to "adjust itself to the times" before that will be true, he said.

Puhlmann will try to relate security to the process of innovation that is underway, particularly in cloud computing, "which is moving ahead faster and faster. The cloud is a huge disrupter. It's up to us and others to make sure its security is discussed."

Cloud practices that move data between data centers around the world illustrate how archaic the laws governing data management and security have become, he pointed out. In some cases, data arising in Europe can't leave a nation's borders. Canadian healthcare data can't be stored on U.S. servers.

"We have completely conflicting rules of law enforcement," he said, and until Jan. 1, the PCI council hadn't acknowledged that a PCI compliant process could be established, even if part of it was running on a virtual machine.

"Virtualization is just an enabling technology. What's so different with the cloud is the consuming model," with consumers accessing the cloud from a wide variety of locations. The challenge of managing access is about to expand with the advent of many tablets, smart phones and other mobile devices tapping into the cloud.

Only part of the problem is technical complexity. Just as important is getting the people processes straight and having governance in place so the initiator of an operation in the cloud is doing things correctly, he said. Another complexity is lines of responsibility, who's doing what. "Now there are people handling the system and data who are not employed by you. That changes the notion of who works for your company," he noted.

A cloud's APIs need to be secure and only do the things they are designed to do, not leave maneuvering room for interlopers. "It's crucial these interfaces are rock solid," he said.

There's been no publicized breach based on a malformed API but such an event is probably only a matter of time. From Puhlmann's perspective, the cloud isn't inherently insecure, but neither has it matured to the point where users are assured in all cases of its security.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2 of 2
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll