Cloud security forecast: Murky with an 80% chance of finger pointing

Cloud security remains a troublesome issue for IT execs

San Francisco -- Despite the best efforts of cloud service providers and industry groups like the Cloud Security Alliance, cloud security remains a troublesome issue for IT execs.

At an RSA session devoted to cloud security, IT security pros complained about the lack of transparency among cloud providers and how that makes it extremely difficult to make informed buying decisions.

 

Hottest products at RSA Conference 2013

Do enterprise security teams want "Big Data Security"?

Juniper's "device fingerprinting" security technology gets mixed reviews

HP unveils 'Big Data Security' strategy

Weatherford outlines 'cyber 9-1-1' plan

Attendees in the audience pointed out that there's currently no certification for cloud security. And cloud vendors won't allow enterprise customers to go on site and actually touch the machines. So, where does that leave IT execs?

Nils Pulhman, former CSO at Zynga, suggested that IT execs grill prospective cloud service providers. "Play the role of a police investigator,'' he said. "Feel out how mature is the provider.''

In his experience, particularly with startups, "nine out of 10 fall apart'' when you ask the tough questions.

[FROM RSA: The hottest products at RSA]

He said enterprises need to understand that the No.1 priority for cloud providers is minimizing the impact of a security breach on themselves. Minimizing the impact on the customer takes a back seat, so "customers need to build out controls too.''

"You've got to demand transparency from the vendors,'' added Patrick Foxhoven, vice president of cloud operations at vScaler. "Without transparency, you can't audit.''

But many in the audience pointed out that a single enterprise customer doesn't have much leverage against a large cloud provider that's not accustomed to opening up its security policies.

One attendee asked about the problem of trying to evaluate a SaaS provider that's on a different vendor's PaaS platform, that's hosted on a third vendor's cloud infrastructure. "Does that mean three times the work?''

Foxhoven also pushed back against enterprise customers and said that, as a provider, he gets hit with huge security-related questionnaires from potential customers and most of the questions aren't applicable to the way security is implemented in the cloud.

He said there's no easy answer, but one suggestion for IT execs is to talk to other customers and find out what their experiences have been with a particular service provider. "That's the unfortunate reality of where we're at today,'' Foxhoven said.

Read more about wide area network in Network World's Wide Area Network section.

Tags: HP, Cloud, security, Zynga, cloud security alliance, internet, cloud computing, Wide Area Network

Confirmed: hackers can use Heartbleed to steal private SSL keys

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Protect against bugs in USB Storage devices

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.