Understanding the

Security Challenges of
Cloud Computing

an Security eBook
Contents…
Understanding the Security Challenges
of Cloud Computing

This content was adapted from Internet.com’s Enterprise IT Planet, eSecurity Planet, CIO
Update, and Datamation websites. Contributors: Sonny Discini, David Needle, Robert
McGarvey, and James Maguire.

2 Enterprise Cloud Computing: Risk and Economics

4 Cloud Computing Faces Security Challenges

4 6 6 Cloud Computing Requires Security Diligence

8 Three Steps to Secure Cloud Computing

8 10
10 How Cloud Computing Security Resembles
the Financial Meltdown
 Understanding the Security Challenges
of Cloud Computing

Enterprise Cloud Computing: Risk and Economics

By Sonny Discini

E
veryone is talking cloud these days, and greater agility of the cloud computing model.
why not? The offerings are maturing, and
the benefits are starting to appeal to Another area where costs have been traditionally high
those who want to solve enterprise risk has been in IT talent. Cloud models will allow the
and economic issues still on the table. Things like pay- enterprise to tap talent pools for a fraction of the cost of
per-use models now have us looking at how we assess retaining in-house staff. This will give IT pros heartburn,
hardware and software costs. You can now pay for only but for those who are able to shift on the fly, IT pros will
what you use instead of buying a be able to turn their focus to
full application suite. But can the solving business problems. The
economic and risk factors drive enterprise can then fully focus on
enterprises over to full cloud business objectives and allocate
deployments? more resources to solve business
problems, even the ones that
A New Way of Doing were practically insolvable with
in-house staff. From another
Business angle, the cloud model now
gives small organizations
As I just mentioned, the
access to IT services and talent
enterprise now has a new way
previously out of reach. The
of looking at the economics
small organization now has the
of operational IT. This extends
ability to tap the same level of
from core apps right down
talent and services as the large
to enterprise security. Cloud
enterprises.
computing is better at optimizing capital investments
because it enables lower capital investments in hardware,
software, and real estate; instead of investing in them, You Cannot Shift Risk
enterprises procure cloud services. This significantly
lowers total cost of ownership, which traditionally has Cloud computing offers computing architectures and
been a significant cost to the enterprise. innovation potential never before seen in large and small
enterprises. It is important to understand that risk does
When we think of large enterprise IT, we cannot let go not evaporate in the cloud; nor does it shift to the cloud
of the old assumption that it is slow to move when it provider. Enterprise security professionals have been
comes time to make a change. Cloud offerings may waving the red flag to C-level executives interested in
crush this old adage. Cloud computing typically requires migrating to the cloud. Questions must be asked such as:
significantly less time and effort to provision additional
resources for existing applications or new resources • Which risks related to service reliability,
for new applications. The straightforward procurement availability, and security arise?
model and use of shared infrastructure also leads to • How much control can the user exert over the IT

2 Back to Contents Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
 Understanding the Security Challenges
of Cloud Computing
services provider?
• What control must be given to the provider and
what trust assurances exist?
Given that cloud models are new, even with the SLAs
provided today, an enterprise can quickly find that what
it thought it was getting may not be the case at all. Legal
departments are also seeing cloud issues for the first
time, so it is extremely important to involve all enterprise
teams when looking at cloud contracts, potential
litigation exposures, and of course security risks.
3 Back to Contents Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
Cloud computing offers significant benefits to the
organization in terms of economics, agility, innovation,
simplicity, and even social impact. However, the devil
is in the details, and while there are many benefits to
the cloud model, the trust and risk aspect of the cloud
is still widely unknown, and hence, very dangerous.
When enterprise architects and security pros design
controls around business processes, they will have
to take traditional tools and refine them to provide
sufficient protection to the enterprise in this new dawn of
computing.
 Understanding the Security Challenges
of Cloud Computing

Cloud Computing Faces Security Challenges

By David Needle

I
s cloud computing adoption hurt by security
issues, compliance concerns, or just a poorly
chosen name?
“The worst thing we ever did was coin the term ‘cloud,’
which takes a business process and makes it sound ... out
there,” said Thinkstrategies analyst Jeff Kaplan.
more secure than traditional datacenter solutions.
“Customers think security is the cloud issue, but it’s really
a trust issue ... a governance issue,” Popp said. “Can I set
the policies I want to and impose them? And second, can
I verify that the policy works? It’s about governance and
control issues.”

But John Weinschenk, CEO of security firm Cenzic, said “You never sell security,” he added. “You sell compliance
cloud security is far more of a to those who need it. When
pressing concern. “It’s actually we look at people embracing
impossible to secure the [public] the cloud, it’s really from the
cloud today,” he said. “You just big guys who control a private
don’t know if your information cloud and can scale it to realize
is going to be processed in the benefits. The other buyers
Czechoslovakia or Russia, and are SMBs who are looking to
what they’re going to do with it. outsource everything.”
And if anything goes wrong, who
do you sue?” Randy Barr, chief security officer
at Qualys, said enterprises are
John Desantis, CEO of identity demanding their cloud service
management provider Tricipher, providers offer greater visibility
agreed. “There is a thin veil that to make it clear that the systems
is clearly being penetrated,” he are secure — a service his firm
said. provides.

But Weinschenk and Desantis
made clear they were talking about public, consumer
service-style cloud providers. Weinschenk said the future
for enterprises lies in private and semi-private clouds that
are more closed systems where the security parameters
and service guarantees are known.
Nicholas Popp, vice president of product development
at domain management and security provider Verisign,
however, disagreed to the extent that he said companies
like his have the potential to make cloud services even
“You can get scans of the cloud
system for vulnerabilities,” he said. “We’re seeing more
transparency from providers to meet this demand.”
CIO Objections
Security isn’t the only concern enterprise buyers have
about cloud computing systems, which in theory can save
an order of magnitude in costs over companies buying
and managing their own computing infrastructure.

4 Back to Contents Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
 Understanding the Security Challenges
of Cloud Computing
“From an enterprise perspective, the CIO wants to hold
off,” said Joe Tobolski, a partner at Accenture Technology
Labs. But he warned that cloud services are already
popular, if you include social networks like Facebook
and Twitter as well as e-mail services like Gmail, in the
mix. These services “are ridiculously easy to sign on to.
There is going to be a clash of the command and control
infrastructure that a lot of CIOs prefer to those people
who want to get stuff done.”
Charles Carmel, vice president of corporate development
5 Back to Contents Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
at Cisco, said that trends like the cloud and software-as-a-
service (SaaS) in particular are causing “one of the largest
disruptions across the IT landscape.”
But Marc Benioff, CEO and founder of one of the best
known and most successful SaaS providers, Salesforce.
com, conceded that “the vast majority of software is still
with companies in their datacenters.”
“That’s the opportunity,” Benioff added. “I try to educate
people because companies want to hold [us] back, like
the people that want to sell more servers.”
The Ultimate
Enterprise Threat and Risk
Management Platform.
The ArcSight ETRM Platform is the world’s most advanced system for safeguarding
your company against data theft, complying with policies and minimizing internal
and external risks. Finely tuned to combat cybertheft and cyberfraud, the ArcSight
ETRM Platform gives you better visibility of real-time events and better context for
risk assessment, resulting in reduced response time and costs.

Learn more at www.arcsight.com/etrm

ArcSight Headquarters: 1-888-415-ARST | © 2010 ArcSight. All rights reserved.

 Understanding the Security Challenges
of Cloud Computing

Cloud Computing Requires Security Diligence

By David Needle

O
ffloading IT infrastructure to a cloud of security and data protection,” said Mohan. While
computing provider can result in great managed service providers offer service level agreements
cost savings and more streamlined, flexible (SLA) and security assurance, Mohan said companies can
operations. Need more compute power and should take extra steps to ensure there information is
or storage? Cloud systems like Amazon’s readily scale safe.
so there’s no need to go through a time-consuming
purchasing process or scrambling to find more room for “There are many security endpoints with cloud services
an expanded datacenter. and that’s where authentication becomes very important.
It’s a big area of investment
But the cloud is not a panacea, for us,” said Mohan, noting
and the need to adhere to Symantec’s $1.28 billion purchase
information management best of VeriSign’s authentication
practices remains, Symantec services unit.
executive Deepak Mohan told
InternetNews.com. “Amazon is going to encrypt and
store your files, but the backup
Mohan should know. data stream may be unencrypted.
So things like security in transit
In his position as senior vice are services we provide that
president of Symantec’s support the hybrid, cloud and
Information Management Group, on-premise use cases.”
he oversees a range of products
and services including archiving Mohan also said it’s important
and backup of information for companies, particularly those
management and regularly in highly-regulated industries
meets with enterprise customers. like finance and health, to be
The company also works with leading cloud providers like sure their information on the cloud is organized both for
Amazon to ensure their services are compatible. retention and compliance.

He jokes that the cloud is very “cloudy” when it comes to
enterprise adoption as companies are still experimenting
with the best way to leverage it and feel confident their
data is secure. Mohan said he’s frequently seeing a hybrid
approach where companies rely on a cloud provider for
storage or certain applications, but also maintain on-
premise backup for security and recovery and to make
sure they can adhere to compliance requirements.
“Inside the cloud, customers need the same level
“The cost of legal e-discovery can exceed government
fines. It’s very expensive to do on a reactive basis and
lawyers love it because they charge by the hour and the
page,” said Mohan. “What you want to do is instrument
your information on the way in, not after the fact.”
Symantec is one of many providers that have services
to index and protect data. Mohan said Symantec’s
Enterprise Vault archiving platform follows the EDRM
(Electronic Discovery Reference Model) and offers

6 Back to Contents Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
 Understanding the Security Challenges
of Cloud Computing

different export formats for outside council that are

admissible in court.

“Some companies are ahead of the curve and moving

proactively to make sure their information is being
managed effectively,” said Mohan. “Another class of
companies really gets serious after their first litigation
request.”

7 Back to Contents Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
Find the cybercriminal.
(Never mind. ArcSight Logger already did.)

Just downloaded the customer

database onto a thumb drive.

Stop cybercriminals, enforce compliance and protect

your company’s data with ArcSight Logger.

Learn more at www.arcsight.com/logger.

© 2010 ArcSight. All rights reserved.
 Understanding the Security Challenges
of Cloud Computing

Three Steps to Secure Cloud Computing

By Robert McGarvey

Y
ou can close your eyes and pretend it is
not happening — many CIOs are doing
exactly that — but face this reality: “Cloud
computing is with us to stay. Everybody
will soon be using it.”
At least this is the prediction of Jim Haskin, CIO at
Websense, a San Diego-based data security provider,
and others.
Capable Hands?
The big cloud players — Amazon, Google, Oracle/
Sun, Salesforce.com — know more than a little about
maintaining online security and, considered in that
context, worries about outsiders knocking down the
security walls and having their way with your data indeed
seem over-wrought. “There’s been a lot of over-reaction,”
said Sheynkman.

A scary thought? For many CIOs, “The question should not be

yes. “They are panicking about about data security in the cloud,”
this,” said Kirill Sheynkman, CEO elaborates Haskin. We need to
of San Francisco-based Elastra, be asking other questions that
a developer of applications probe exactly why we are afraid
currently deployed in association of cloud computing and certainly,
with Amazon’s cloud computing as a group, CIOs are resisting it.
offering. The panic is well- But just maybe that has to end
founded, isn’t it? Because of the because time to dither may be
security concerns that come with running out for CIOs.
jumping the firewall?
Bill Appleton, chief technical
Sheynkman snorts: “Security officer at Mountain View, Calif.-
is not the issue. Do you think based Dreamfactory, a developer
your IT department knows more of cloud-based applications,
about data security than Amazon ominously warns: “The cloud
does?” may skip IT and sell directly to end users. It might simply
bypass the command and control system of IT.”
Reality check: “Data security in the cloud is no different
than data security at a remote data center,” said John And that may be the legitimate worry. That’s because
Lytle, a senior consultant with IT consulting firm Compass a CIO nightmare revolves around unauthorized use of
in Chicago. public cloud resources by employees who may be putting
sensitive internal data online at Web-based spreadsheets
In many cases, data at most companies “are more at risk or into slide shows.
in their own environment than in a well-managed cloud,”
said Mike Eaton, CEO of Cloudworks, a Thousand Oaks, “Most CIOs worry a lot about employees putting
Calif.-based provider of cloud-based services, primarily to data that shouldn’t be public in public places,” said
small and mid-sized businesses. Christopher Day, senior vice president of security

8 Back to Contents Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
 Understanding the Security Challenges
of Cloud Computing
services at Terremark Worldwide, a global provider of IT
infrastructure. That fear is justified. What would the board
of directors say if it discovered the company’s strategic
plan was accessible in a public cloud? But Day also
suggests that CIOs can snuff out this potential firestorm
simply by taking a direct approach.
“Just put into place clear policies, then educate
employees about them,” said Day.
Pull your head out of the sand (or clouds as the case may
be) and directly attack this concern. That is how to make
it vanish. Understand too that employees who upload
sensitive data usually mean well. They are just looking for
better ways to work. Look for other, more secure ways to
let them do exactly that, adds Day. Take those two steps
and most likely cloud-based shadow IT will diminish in
your organization.
Securing the Logon
Another, lingering worry about cloud computing is that
— with many providers — log-ons are too primitive.
“Large enterprise will not embrace the cloud until
security significantly improves,” flatly predicts John
Gunn, general manager at Chicago-based Aladdin, a
developer of digital security tools. The worry here is that
when barebones log-ons are in use, old-fashioned social
engineering techniques will let hackers learn employee
log-ons and, watch out, data leakage will be at flood
stage.
But, said Gunn, the solution is simple: enterprises
9 Back to Contents Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
should only permit data to migrate to the cloud where
two-factor, strong authentication is in use and, right
there, hackers probably are kept at bay. Take just that
step, suggests Gunn, and considerable big company
opposition to cloud computing would instantly
evaporate. Most mainstream cloud providers are hanging
back on this but, suggests Gunn, when enough users cry
out for safeguards the cloud companies will respond.
Here Today …
A final, big worry, particularly in today’s unstable
economy, is the durability of the cloud provider, said
Raimund Genes, CTO at Trend Micro, the global
security company. “You need a provider that will be in
business three years from now. When you give up your
IT infrastructure, you need a reliable service provider.”
When a cloud provider goes bankrupt how accessible is
your information, by whom? Better not to deal with such
questions at all by instead going with cloud providers that
have the wherewithal for a long-haul contest.
Parting advice for CIOs who are still wringing their
hands in worry over data in the cloud comes from
Elastra’s Sheynkman who reminds us: “It’s not all or
nothing. It does not have to be. Put only the data you
are comfortable with on the cloud. That is what most
companies seem to be doing. We are still in an era of
experimentation.”
Take it in little steps but start taking some steps, that’s
the smart way to embrace the cloud.
 Understanding the Security Challenges
of Cloud Computing

How Cloud Computing Security

Resembles the Financial Meltdown
By James Maguire

H
ow do you know if a cloud computing Hmmm… as a client of a cloud vendor, I’m feeling
vendor is secure? nervous. But SAS 70 really does mean something, doesn’t
it? Well, probably.
After all, you trust them with highly
sensitive data and business critical processes. Your entire More troubling, at this point you might have a moment of
business may rest on your ability to evaluate their level of déjà vu. Wasn’t a similar conflict of interest at the heart of
security. the recent financial meltdown?

When they make claims about In the view of Jay Heiser, a

their nearly absolute level of Gartner analyst who specializes
safety, should you just take their in security, the connection is
word for it? clear. He’s the author of the
research report “Analyzing
Goodness no, say the vendors, the Risk Dimensions of Cloud
we’ve got a third-party and SaaS Computing.” After
certification to back up our reading Michael Lewis’s account
claims. Specifically, they point to of the financial debacle, The
their SAS 70 certification. SAS Big Short, Heiser told me, “I
70 is a set of auditing standards found more parallels between
used to measure the handling what happened in the financial
of sensitive information. It was services and cloud computing
created by the impressively than I anticipated.”
named American Institute of
Certified Public Accountants Let’s rewind the tape a bit. A
(those folks know how to fill out distressing fact about the Crash
forms). SAS 70 was around before cloud computing, and of 2008 is that the major credit rating agencies – the very
has been shoehorned into use by vendors seeking an groups tasked with protecting investors – were tacitly
impartial third-party credential to reassure nervous cloud complicit.
customers.
The two biggest ratings agencies, Moody’s and Standard
But here’s where it gets dubious. Guess who writes a & Poor’s, failed to send up red flags about subprime
check to the SAS 70 certifiers? Believe it or not, it’s the mortgage-backed securities. These supposedly impartial
vendors themselves. If you were a cynical, non-trusting watchdogs evaluate the credit worthiness of securities,
type (which you should be if your company’s data is at enabling investors to make informed decisions. Yet
stake) you might wonder if that is a conflict of interest. instead of labeling junk as junk, they bestowed a top AAA
Don’t accounting firms have a vested interest in granting grade on highly risky assets.
SAS 70 certifications to those cloud computing vendors
who can pay for them? Shockingly, virtually all of the AAA-rated subprime-
mortgage-backed securities issued in 2006 have now

10 Back to Contents Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
 Understanding the Security Challenges
of Cloud Computing
been downgraded to a junk rating.
It was a clear conflict of interest. These ratings agencies
are paid by the issuer of the security. Perhaps it’s not
surprising that they labeled some rotting sausage as
high-grade beef. If one of the agencies had threatened to
give a low (but accurate) rating, the issuer would simply
shop at another ratings agency. The system itself was set
up to provide false assurance.
Now back to cloud computing and SAS 70. OK, let me
get this straight: the cloud companies pay accounting
firms for SAS 70 certifications just as the financial
organizations paid Moody’s for an investment-grade
rating?
“Yes, if you see someone who claims to be SAS 70, they
have paid an accounting firm. Not only have they paid
an accounting firm to go do the test, but they’ve told
the accounting firm what processes need to be tested,”
Heiser says.
“And you see a distressing number of providers that are
claiming, ‘Well, we’re secure, or we have availability – it’s
proven by the fact that we have a SAS 70.’”
This statement echoes a key finding that Heiser noted in
his report:
Third-party certifications are immature, are unable to
address all aspects of cloud-computing risk, and should
be relied on only after a thorough evaluation of the
written report.
To be fair, a SAS 70 is likely more than a mere piece of
paper. It may prove more than the fact that the vendor
has the money to hire an accounting firm. Perhaps it
should be thought of as a good starting point. Still,
the responsibility remains squarely on the client to
evaluate the SAS 70’s written report and make their own
determination. Were the right controls included? Were
they evaluated to the appropriate degree?
In other words, buyer beware. You have to do your own
11 Back to Contents Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
digging. From Heiser’s report:
Do not accept the claimed existence of a certification
or other third-party assessment as being adequate
proof of security and continuity fitness for purpose.
Thoroughly review the assessor’s written report to ensure
that the scope of evaluation is adequate, and that all
necessary processes and technologies were appropriately
addressed.
But is it IT?
An additional question bedevils the debate over cloud
security: Is SAS 70 — even if administered by an impartial
third party (which it’s not) — an insightful evaluation of a
cloud computing vendor’s security?
SAS 70 was never designed for this use, though in theory
it could address an IT risk scenario. “Call me a cynic, but
SAS 70 is an auditing standard originally intended to be
used against processes relevant to financial statements,
secondarily to financial transactions,” Heiser says.
“So the thing starts very, very far away from anything
that would traditionally be considered an information
security or a business availability assessment. It’s done by
accounting firms.”
A common perception of the financial evaluators involved
with false credit ratings is that they were not the cream of
the Wall Street elite. Those brighter talents were pursing
vastly more remunerative activities.
In contrast, “I would expect that whoever is doing a SAS
70 is a fairly ambitious [staffer] at a CPA firm,” Heiser says.
“Still, are they auditors? IT? Did they go to Purdue and
get a Master’s degree in Information Security? What’s
their background for all this?”
The moral of this cautionary tale is best summed up with
a last key finding from the Gartner report:
Be skeptical of vendor claims, and demand written or in-
person evidence.