Cloud Risks and the Security Community

Security tends to dominate many discussions regarding the adoption of cloud computing. I outlined some of the risks that often come up in this context. Yet, which of the information security risks are actually unique to the cloud paradigm? Michael Cloppert raises this point in his insightful post Let’s Enable Cloud Computing.

Michael points out that most of the risks brought up in cloud discussions are applicable to IT in general and either have a mitigation strategy or have been accepted. He sums up the infosec community’s response to cloud security as “fear of the unknown,” concluding that:

"Classic InfoSec mindset is as a gateway; a veto-holding non-voting member of the IT community. The correct role, in my opinion, is as an active participant in technical innovation, architecture, and the engineering process, making sure requirements are met in a way that balances risk with cost - not eliminating risk at extraordinary cost."

Well put.

I tie the fear of the unknown to the desire to wait for cloud technologies and management processes to mature, and that’s fine with me. For instance, during early VLAN days, not many admins knew the syntax and the implication of certain commands, and were more likely introduce a configuration error that introduced a vulnerability. Similarly, many organizations implementing virtualization in the context of cloud computing are new to the tools and can make configuration mistakes. Further, the products they’re using are relatively immature and haven’t been time-tested.

The risks related to the newness of cloud technologies will become less of an issue in about a year. Until then, most security professionals will apply extra scrutiny to proposals that involve processing sensitive or regulated data in shared cloud environments. I think that’s a good idea, as long as the discussions don’t immediately lead to a flat “no way” as soon as the term “cloud” is brought up.

The biggest concern I have over outsourced cloud is that the economics are pushing a lot of companies to outsource without carefully understanding and codifying their requirements. Further, they might not know how to define a proper outsourcing contract, how to manage the IT transition project or how to oversee the resulting environment. These are the areas where experienced information security professionals can add a lot of value.

Want to know more? Read my earlier notes on cloud security.

Lenny Zeltser

Updated November 26, 2010
Lenny Zeltser

Did you like this?

Follow me for more of the good stuff.

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more