6 Common Cloud security myths

In the context of this recession, IT departments are facing problems with IT security budget constraints and increasing compliance requirements, and companies are considering whether some IT operations should be handed over to cloud service providers. In fact, everyone is under a deep pressure to protect the security of data, especially small and medium-sized enterprises, in the case of insufficient budget, which means that enterprises need to outsource part of IT operations to third parties in order to reduce capital and human investment. It's dangerous to be eager to get into cloud computing, but it's also unwise to think that you can protect your infrastructure better than a service provider without considering cloud computing. Other misconceptions include the belief that data is no longer needed for data security when it is delivered to a cloud service provider; that it is up to you to decide whether and how the enterprise and how to use the software as a Service (SaaS): You may find that you are the last person to know that the enterprise has deployed SaaS. When an enterprise considers or decides to move an enterprise's systems, applications, and data to a service based model (i.e., cloud computing), there are many other errors that include failure to authenticate and test the security of the cloud service provider, and not to verify the reliability of the vendor, Leave the enterprise's insecure applications to the vendor without making any changes, and expect the application to become more secure automatically. Let's take a closer look at these six Common Security cloud computing errors and how to avoid these errors. Error 1: The security experts have a very strong desire to control the fact that cloud security is not as important as the data center as the main person responsible for protecting corporate data and intellectual property, and this has caused security experts to misunderstand, "the most common mistake is that as long as we talk about cloud computing, Companies will think that cloud computing is less secure than their own IT security operations, "says Chenxi Wang, a leading analyst at Forrester Research." It is widely believed that the stronger the control, the safer it is. "In fact, for cloud services like Google's SaaS, data loss is unlikely because the data can be accessed anytime, without being saved to a USB storage device or CD that is easily lost or stolen, according to Google Application Security Director Eran Feigenbaum said that Google's security vulnerabilities repair program is more organized than the security update for the general enterprise, because Google's server structure is homogeneous. "Many attacks occur because the enterprise lacks security vulnerabilities management and server error configuration, and for us, when new security patches are released, we can quickly unify the entire platform for repair." "SaaS and other cloud vendors have a more holistic view," Feigenbaum in the Cloud Security meeting group at the RSA Conference in April, "for companies to see only a small aspect of the threat to the business." Cloud providers can look at the overall size of the economy from a more holistic perspective,Clouds can change the security situation and also have the ability to provide better security. "But that does not mean that companies can blindly trust cloud service providers, although larger suppliers may be able to provide better services," says Wang, of Forrester Research, "where cloud service providers deal with security issues from more complex levels, unlike corporate IT teams, Focus on daily needs only. It is not correct to think blindly that the security provided by the cloud is not high or that there are more problems. "So far, security issues have been a major obstacle to broad deployment of cloud services," said Michelle Denndy, Sun's cloud chief management officer. "The lack of trust in cloud services has been a factor in preventing the widespread use of cloud services, not the technical capabilities of cloud services, but in many cases, Cloud services are more secure than enterprise environments. Error 2: There is no verification, testing, or auditing of the security of the cloud service provider when you choose a service provider, do not easily judge the safety of the supplier, and verify how the supplier protects your data and the security of the supplier's infrastructure. "It's not easy to trust a supplier, you have to verify, test, or hire a third party to audit the security of the cloud service provider," said Dennis Hurst, HP Software and solutions security engineer. But testing the safety of vendors is not that simple. Not all cloud services companies can articulate their own security policies and regulations, and often do not communicate well. "It's not clear how the data center cloud is protected," Jian Zhen, head of cloud solutions at VMware, said at a recent RSA meeting, "cloud service providers need to better explain cloud computing and make users feel comfortable, not because cloud service providers don't have better security, But because it's not so transparent. "Hewlett-Packard company Hurst said to ensure that your cloud service provider isolates systems in a secure manner," the enterprise does not verify that their systems and data are separated, they only confirm that the virtual machines are separated, but their applications may run on a server running 100 other virtual machines simultaneously. " , and the vendor may not be properly quarantined, or the IP address will not be blocked by the firewall. "Hire a trusted third party to verify the security of the cloud vendor, or negotiate with the vendor for online testing and validation," he said. "Vendors should put their systems in a document format so that they are easier to authenticate." "To verify that the virtual machine is protected, you can run a port scan outside the environment to confirm that you are not able to access other customer's machines." Cloud service providers can determine the safety of their suppliers for their security and privacy, "if they are confident about their security, then relatively safe," said Forrester Wang, "Conversely, if the supplier is not willing to talk about security issues,Consider another supplier. "In the past few years, Google has been providing detailed information on SaaS security, including white papers," Feigenbaum said, "Perhaps not on the home page of our site, where users may need to sign NDA or other requirements to maintain a balance between security and visibility." "At the same time, cloud computing provides an opportunity to create security from data side to cloud services," This should be what the Internet needs to do, "says Sun's Dennedy," and now we need to choose the best security technologies and deploy these technologies to secure cloud services products. " "Error 3: There is no review of the business reliability of the cloud service provider The third misconception is that you fully trust the vendor before you confirm the business reliability of the cloud service provider," What can you do if your supplier suddenly disappears tomorrow? " Hurst said there had been cases in which the FBI raided the company and confiscated data centers and computers because of a suspected illegal activity in Texas, a U.S. supplier. "Only one computer was used for illegal purposes, and other computers were confiscated," leaving customers with a lot of damage. As a result, users should be prepared to make a copy of all the content that will ensure that the business is working properly in case the cloud service provider suddenly stops providing the service. In addition, you need to determine if the cloud service provider has a disaster backup plan, which is a challenge for smaller cloud service providers. Thankfully: We rarely hear of cloud service providers abruptly stopping service delivery, and more likely to be a problem related to security practices. And so far, companies have simply handed some non-critical applications, such as e-mail programs, to cloud service providers, so that cloud services may pose little risk to other enterprise applications. Error 4: Think that the data is left to the cloud service provider. Don't assume that outsourcing an application or system means you're not responsible for the data leak at all, which is a misconception that many SMEs hold. The delivery of data protection to a cloud service provider does not mean that when data leaks occur, you are not responsible at all. "Ultimately, companies are responsible for data leaks, and corporate CEOs may be judged rather than cloud service providers," Zhen of VMware said at the RSA meeting. Highly regulated businesses can often be aware of this quickly, Forrester's Wang says: "The owner of the data is always responsible for the customer's data." "Hewlett-Packard's Hurst said he had encountered such a thing, when the cloud service provider was attacked, the enterprise still need to bear part of the responsibility." His former employer outsourced the company's medical insurance information to an overseas supplier, "when cloud service providers are attacked, companies still have to admit they lost data and need to pay for fraud detection services." "AlsoThat is, when you entrust a business function to a third party, you do not get rid of your responsibility. Error 5: Putting unsafe applications in the cloud in the hope of making unsafe programs secure the key is properly preparing your applications and data for the transitions, she says. Delivering flawed legacy IT systems and vulnerable applications to cloud service providers does not automatically make these systems secure. No supplier will fix the system or the program for you, "said Sun's Dennedy," don't fantasize that the rubbish you throw to others will automatically become a good thing. "Cloud computing can provide better security and management for businesses only if you choose the right suppliers, outsource the right applications, and deploy the right plans, but it will be a big challenge for businesses that don't have proper control." "Security companies usually have no control over their architecture," said Michael Sutton, vice president of security research at Zscaler, who also pointed out that the results of the Gartner study showed that 60% of companies were still using flawed IE6 browsers. Although said, insecure applications can get better protection from cloud service providers because fewer access to enterprise data centers, but in the end, unsafe vulnerabilities are still a risk, "after all, unsafe applications, any data it accesses can be stolen," he says. This can be dangerous if an attacker attacks the application and uses it to launch the botnet without controlling the program. "Error 6: It is not known that the Enterprise business unit has started to use some cloud services. Everyone knows IT security is often considered a barrier to technical and business operations, not a catalyst. This idea can sometimes cause the business unit to be completely disconnected from security, and you'll suddenly find that one day the business unit talks to the cloud vendor without considering the security issue at all. The key is to prevent the enterprise within the premise of completely regardless of security issues, with the cloud service providers to sign contracts. Companies may have security policies to define cloud computing, as well as security guidance around cloud computing, but if these security measures are not strictly enforced, they will be of no use to departments other than the security services. Wang, of Forrester's research institute, says IT departments are often unaware of the fact that cloud computing services are already in use within the enterprise. The security Department should be involved as early as possible, if the security team can participate in the assessment and audit process, can determine the enterprise's cloud service security requirements, so that enterprises can be assured that the system program to the cloud services, focus on business. Of course, this also requires more understanding of the business, not just technical aspects. "Editorial Recommendations" Web Cloud security technology Application cloud Security cloud computing fanRegiment Grand Unveiling "responsible editor: Chen Yunji TEL: (010) 68476606" Original: 6 common cloud security mistakes return to network security home