Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

11/15/2013
08:00 AM
Frank Ohlhorst
Frank Ohlhorst
Commentary
50%
50%

Avoid The Bermuda Triangle of Cloud Security

As cloud services permeate the enterprise, security still inhabits the unknown. Can enterprises venture into cloud-based security without traversing a Bermuda triangle of doubt?

Enterprises are turning to the cloud for all sorts of permutations of the family of cloud services. Although these services may lighten the load on corporate data centers and simplify administration, support, and provisioning, there is what some may call a dark side, which amounts to securing those scattered services and protecting the data that traverses the heterogeneous networks that may lie between.

Naturally, cloud services providers have an answer, one that implies a self-severing nature -- security-as-a-service, or SECaaS -- where security is outsourced to a host (or provider). While it may sound like an ideal methodology for removing the burdens of security management from internal IT, and fully leveraging what the cloud has to offer, there are some things IT managers need to consider before signing on the dotted line.

First and foremost is defining exactly what the SECaaS offers in the form of security -- and that may take delving deeper into the service-level agreements (SLAs) that accompany a given service. For example, does the offering include firewall (and firewall management), VPN (site-to-site, user-to-app, etc.), intrusion prevention, intrusion detection, anti-malware, user authentication, auditing, traffic analysis, and so on?

In other words, it's critically important to verify that SECaaS offers 360 degrees of protection, because any missed element could quickly lead to a breach.

It's also very important to determine the level of responsibility of the SECaaS vendor, asking questions such as:

  • Who maintains the system?
  • Who has patching responsibilities?
  • Who provisions new users?
  • Who audits system security?

These questions should all be represented in the SLA, and more importantly -- vetted by corporate IT.

The real challenge with cloud-based or hosted security is not the technology itself, but how it's used. Many corporate entities do not leverage capabilities to their fullest, which creates an environment where a breach becomes not only possible, but inevitable.

That has blackened the eye of cloud security offerings. However, improper use of services has not been the only culprit here; many vendors have also made missteps on the path to hosted security, creating disasters of their own making, which in turn has cast a negative light on hosted security.

Yet vendors are learning from their mistakes, advancing the technologies to create hybrid offerings, such as those managed security solutions that incorporate endpoint security with a premise security appliance. This is connected to the cloud services provider for updating, management, monitoring, and so on.

The idea here is to abstract security from centralized processing and then distribute security technologies to the various endpoints and parts of the network that control traffic. At the same time, there is still central management, and a control console to consolidate and unify security management.

As vendors improve their hosted offerings and integrate more security capabilities, SECaas will become more viable for enterprises, and at that point the conversation can switch to budgetary concerns, such as return on investment (ROI) and total cost of ownership (TCO), which will become the primary motivators to move security into the cloud.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
11/16/2013 | 6:59:21 PM
Security as a Service
Some security technologies work well in the hosted model, such as URL filtering and email security; both of those have fairly long track records. Less proven cloud-based security services include identity & access management.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15564
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing Arm guest OS users to cause a hypervisor crash because of a missing alignment check in VCPUOP_register_vcpu_info. The hypercall VCPUOP_register_vcpu_info is used by a guest to register a shared region with the hypervisor. The region will be map...
CVE-2020-15565
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs....
CVE-2020-15566
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a host OS crash because of incorrect error handling in event-channel port allocation. The allocation of an event-channel port may fail for multiple reasons: (1) port is already in use, (2) the memory allocation failed, o...
CVE-2020-15567
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to gain privileges or cause a denial of service because of non-atomic modification of a live EPT PTE. When mapping guest EPT (nested paging) tables, Xen would in some circumstances use a series of non-atomic bitfield writes...
CVE-2020-15563
PUBLISHED: 2020-07-07
An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users to cause a hypervisor crash. An inverted conditional in x86 HVM guests' dirty video RAM tracking code allows such guests to make Xen de-reference a pointer guaranteed to point at unmapped space. A malicious or buggy HVM g...