Cloud providers need to step up on security, say analysts

Cloud providers ought to provide data security -- that should be obvious. But some providers themselves, along with some security analysts, say they also ought to be doing more, such as educating their customers about best security practices.

Not that all providers are providing the basics themselves. CenterBeam, a managed services provider for midsize businesses, reported about a week ago that a recent security test of cloud providers found that some were not securely separating virtual servers located on shared hard disks. This vulnerability would allow an attacker to access fragments of customer data and possibly gain control of other servers.

But a more common problem, according to The 2012 Information Security Breaches Survey (ISBS), is that businesses are simply putting their data in the hands of third parties with little or no scrutiny.

It found that 34 percent of small businesses were allowing personal mobile devices to attach to networks, but without putting proper Bring Your Own Device policies in place.

The survey, written by Pricewaterhouse Coopers in conjunction with Infosecurity Europe and supported by the department for Business, Innovation and Skills, found that 73 percent of organizations are using at least one outsourced service over the Internet, but only 38 percent ensure that data being held by external providers is encrypted.

According to the Cloud Industry Forum (CIF), encryption may not be enough, or may not be the right solution.Ã'Â CIF, a UK-based organization founded in 2009, has mostly European members but some American firms like Microsoft and Dell.

In some cases, the organization says, access control, firewalls, VPNs may be more efficient and cost less than encryption. CIF Chairman Andy Burton, speaking last week to BusinessCloud9, said cloud providers need to do a minimum of three things:

  • Be clearer up front with their prospects and customers about their approach to security and what options are available to adapt it, without compromising security in the process.
  • Communicate in standardized language about classification of security risks and solutions, allowing procurers to compare different providers easily when making purchasing decisions.
  • Educate end-users on what they need to look for technically, commercially and legislatively to ensure data security when migrating to a coud-based solution.

CIF spokesman Richard Merrin, managing director of Spreckley Partners, says one goal of the organization is to "help end users identify critical information that can aid their selection of cloud service providers. In that sense it aims to clear up the confusion and FUD [Fear Uncertainty and Doubt] in the market."

It is also good business, he says. "What is right for one company with one specific application may not be right for another," Merrin says. "The suppliers that will succeed in the market over the long-term are those that recognize and embrace this and provide confidence and clarity to their customers and prospects."

Read more about cloud security in CSOonline's Cloud Security section.

Join the CSO newsletter!

Error: Please check your email address.

More about DellDell ComputerMicrosoftSBS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts