IT security professionals don't like surprises. It's not that they're an inherently humorless bunch, it's just that unexpected news is rarely good news in their line of work. As a result, they are often the ones within the organization to express the most vocal opposition to cloud computing initiatives, suggesting that the unpredictable nature of new technology introduces considerable risk.
These claims are not unfounded, according to Wired contributor Rob May, as few if any industry experts can rightly boast more than a decade of experience securing virtual environments. Latent fears of welcoming third parties into the data protection equation do not help matters either. But by taking responsibility for all the factors that remain under their jurisdiction, companies can retain control and sidestep some of the cloud's most dangerous threats.
Regulating the guest list
Access control is one security discipline that is always within IT's grasp – regardless of operating environment. One of the lesser known threats, according to May, stems from inconsistent or careless provisioning of cloud applications. Administrators rejoice in the fact that a Software-as-a-Service model makes it easier than ever to add seats on the fly, but they often forget about the other side of the equation. Zombie accounts, or those that are no longer in use but haven't been deprovisioned or deleted, can be a silent source of vulnerability.
"The danger with zombie accounts is that, if they are compromised, no one is watching them," May wrote. "A subverted zombie user could steal, corrupt or delete data well before anyone is the wiser."
This often gets overlooked as most companies assume such accounts will be flagged when subscriptions are reviewed and renewed on a monthly basis. However, companies relying on an annual billing cycle for core apps could unwittingly expand their threat window by 11 months.
Companies also have to worry about the damage that could be triggered by a rogue employee. As May suggested, the danger becomes apparent when one realizes that these agents are effectively zombie accounts with the added advantage of knowing exactly what it is they're looking for and where to find it. As a result, the principle of least privilege needs to be in full effect with credentials audited and reviewed on a continuous basis.
Keeping the keys to the safe
Once companies have a firm command of which characters are in play, it's time to key in on the information that they are producing, exchanging and storing. And when it comes to migrating that data to cloud environments, IT teams can't help but harbor a few reservations.
"It might be driven by paranoia, but still all the different analysts and conversations with customers show security is still No. 1 [when it comes to adoption inhibitors]," Trend Micro solutions architect Udo Schneider explained in a recent interview with Computer Weekly. "Most other problems, I don't want to say they are solved, but they are addressed."
Conventional wisdom among corporate IT teams is that the architecture cloud service providers have in place may be more robust, but it is no substitute for the peace of mind associated with hosting infrastructure in-house. As Schneider put it, business leaders take comfort in the fact that they could "run down to the IT department and press the big red emergency security button" if worse came to worse.
The middle ground appears to be the orchestration of a data security strategy that encrypts information prior to migration and leaves keys with the customer. By "disjoining" hosting and key management responsibilities, companies can feel confident that their investment in cloud-driven efficiency will not come at the cost of data privacy and compliance.
Cloud Security News from SimplySecurity.com by Trend Micro