Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Three Public Cloud Security Myths

Organizations Don’t Have to be Fearful of Public Clouds, They Just Need to Better Understand Them.

Organizations Don’t Have to be Fearful of Public Clouds, They Just Need to Better Understand Them.

At the RSA Conference earlier this month, there were two topics that seemed to prevail: mobile and cloud security. As more mobile payment platforms and applications arise, 2012 will be a year that highlights a whole new set of vulnerabilities. A recent hack on Google Wallet is just one example of what’s to come. And the Cloud Security Alliance announced new initiatives specific to mobile security.

The cloud security discussion is of course already well underway and was only heightened at the event. There is still quite a bit of speculation around the ability for a cloud infrastructure to be truly secure. Today I’d like to tailor that debate even further and discuss one of my favorite topics: the public cloud. Here are three myths about public cloud security.

You can’t achieve regulatory compliance in cloud environments.

Cloud Security Concerns?Many folks don’t know that the Payment Card Industry (PCI) has enacted guidelines that specifically address public cloud environments. In fact, PCI-DSS 2.0 was written with a strong emphasis on virtualized environments. The technology and means are there, it’s just that many vendors and companies aren’t yet spending the money and taking the steps to achieve them. Because the public cloud is inherently a shared infrastructure, public cloud providers are in a unique situation to provide regulatory compliance controls. By deploying security measures carefully and cross-mapping controls for compliance such as PCI and HIPAA, even non-compliant customers reap some of the benefit. Compliance in itself is not security. But being able to produce a compliant infrastructure is big piece of the pie. The point, however, is that it can be done.

If one company in that cloud gets hacked, everyone else is vulnerable.

Albeit a common perception, public cloud hosting is not shared hosting. While organizations are using a common shared infrastructure, the data, networks and device policies can be completely segregated. It’s possible to setup the public cloud environment in a way that forces all external and semi-external traffic to traverse the network. This means companies will be subject to the same security countermeasures and inspections regardless of the source of traffic. For instance, if an organization running an Ecommerce site and another organization that uses their services co-exist on the same public cloud infrastructure, the client traffic would be forced to exit the infrastructure and come back in as if they were sourcing from the Internet. Complete logical segregation is possible, and it’s necessary for security, as well as most regulatory compliance.

The Cloud can never be as secure as a dedicated server.

The 2011 Verizon Data Breach Investigation Report points out that internally hosted, internally managed infrastructures are breached most frequently. This is because the management of these types of infrastructures is typically less focused on the day-to-day security than those that are using cloud or virtualized environments. This is a similar characteristic in most industries. If architected and managed properly, there is no evidence that a public cloud environment is any less secure than a traditional, dedicated one. A cursory look at Google Search Volume Index statistics reveals evidence that organizations are ditching their dedicated environments for cloud alternatives. Public cloud environments are typically built and maintained by companies that are constantly monitoring and managing the infrastructure for integrity and vulnerabilities – always working to improve and secure the environment. The Cloud Security Alliance has implemented standards and procedures that, if followed by vendors, can actually mean cloud environments are being better cared for from a security standpoint than dedicated.

If we learned anything at the RSA Conference this year, it’s that cloud infrastructures can be secure, and they must be for the need is growing quite fast. In this vein, organizations don’t have to be fearful of public clouds. They just need to better understand them.

Read More in SecurityWeek’s Cloud Security Section!

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility