Cloud security forecast: Murky with an 80% chance of finger pointing

Cloud security remains a troublesome issue for IT execs

San Francisco -- Despite the best efforts of cloud service providers and industry groups like the Cloud Security Alliance, cloud security remains a troublesome issue for IT execs.

At an RSA session devoted to cloud security, IT security pros complained about the lack of transparency among cloud providers and how that makes it extremely difficult to make informed buying decisions.


Hottest products at RSA Conference 2013

Do enterprise security teams want "Big Data Security"?

Juniper's "device fingerprinting" security technology gets mixed reviews

HP unveils 'Big Data Security' strategy

Weatherford outlines 'cyber 9-1-1' plan

Attendees in the audience pointed out that there's currently no certification for cloud security. And cloud vendors won't allow enterprise customers to go on site and actually touch the machines. So, where does that leave IT execs?

Nils Pulhman, former CSO at Zynga, suggested that IT execs grill prospective cloud service providers. "Play the role of a police investigator,'' he said. "Feel out how mature is the provider.''

In his experience, particularly with startups, "nine out of 10 fall apart'' when you ask the tough questions.

[FROM RSA: The hottest products at RSA]

He said enterprises need to understand that the No.1 priority for cloud providers is minimizing the impact of a security breach on themselves. Minimizing the impact on the customer takes a back seat, so "customers need to build out controls too.''

"You've got to demand transparency from the vendors,'' added Patrick Foxhoven, vice president of cloud operations at vScaler. "Without transparency, you can't audit.''

But many in the audience pointed out that a single enterprise customer doesn't have much leverage against a large cloud provider that's not accustomed to opening up its security policies.

One attendee asked about the problem of trying to evaluate a SaaS provider that's on a different vendor's PaaS platform, that's hosted on a third vendor's cloud infrastructure. "Does that mean three times the work?''

Foxhoven also pushed back against enterprise customers and said that, as a provider, he gets hit with huge security-related questionnaires from potential customers and most of the questions aren't applicable to the way security is implemented in the cloud.

He said there's no easy answer, but one suggestion for IT execs is to talk to other customers and find out what their experiences have been with a particular service provider. "That's the unfortunate reality of where we're at today,'' Foxhoven said.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags HPZyngasecurityCloudcloud security allianceWide Area Networkcloud computinginternet

More about CSOHPJuniperRSAZynga

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Neal Weinberg

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts