How Secure is your Cloud?

Grazed from PC Quest.  Author:  Sufyan bin Uzayr.

Of late, cloud computing has taken the IT world by a storm. More and more businesses are migrating to the cloud instead of local storage. Not only is cloud-based storage cheaper and requires lesser maintenance, it also fosters greater collaboration and data sharing capabilities.

Both Google and Amazon are now offering attractive cloud services for businesses and organizations. The service is extremely reliable; your data is stored across multiple servers and can be seamlessly shared among all your employees and clients.

At this junction, with cloud computing on the rise, questions are being raised about security issues. For a start, any data stored on an intranet/internet, no matter how big or small, can be subject to malicious hackers. However, generally speaking, cloud based storage has often been under the attack of tech critics claiming it to be an insecure medium for storage of data. Thus, while more and more organizations are shifting to cloud-based storage for managing their data, there are talks about Google suffering outages (see thereby proving the inability of the cloud to be a reliable medium for business usage...

Number-munching clouds are godsend for cybercrooks - experts

Grazed from The Register.  Author: Phil Muncaster.

Cloud computing providers came under fire today from security experts who blamed them for giving cyber-criminals the tools to launch attacks more easily, efficiently and anonymously than ever before.

Speaking at the fourth InfoSecurity Summit in Hong Kong on Tuesday, SC Leung - a senior consultant at the city-state's Computer Emergency Response Team - argued that crooks are making the most of the sudden rise of distributed number-crunching services.

"They are using it more efficiently for web hosting and they can subscribe to cloud services to get bandwidth on demand,” Leung told attendees...

Cloud Security: Encryption Is Key

Grazed from Sys Con Media.  Author: Ariel Dan.

Today, with enterprises migrating to the cloud, the security challenge around protecting data is greater than ever before. Keeping data private and secure has always been a business imperative. But for many companies and organizations, it has also become a compliance requirement and a necessity to stay in business. Standards including HIPAA, Sarbanes-Oxley, PCI DSS and the Gramm-Leach-Bliley Act all require that organizations protect their data at rest and provide defenses against data loss and threats.

Public cloud computing is the delivery of computing as a service rather than as a product, and is usually categorized into three service models: Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). When it comes to public cloud security, all leading cloud providers are investing significant efforts and resources in securing and certifying their datacenters. However, as cloud computing matures, enterprises are learning that cloud security cannot be delivered by the cloud provider alone. In fact, cloud providers make sure enterprises know that security is a shared responsibility, and that cloud customers do share responsibility for data security, protection from unauthorized access, and backup of their data...

Secure Cloud Computing Platform Focus on New Collaboration

Grazed from Midsize Insider.  Author: Bob Thomas.

The lack of secure cloud computing has been one of the biggest issues facing companies that want to move their operations into the cloud, but which are concerned about the deployment of sensitive data into the perceived unsecure environment of cloud computing.

Three companies, LynuxWorks, Inc., TransLattice, and Fritz Technologies Corporation, which are already known for providing solutions to data-sensitive customers like the government, have announced their collaboration to produce a secure cloud platform. The S.E.C.U.R.E. (Secure, Enterprise, Cross-Domain, Unified, Resilient Environment) platform is ideal for creating cloud deployments in highly sensitive environments...

Critical Cloud Vulnerabilities Revealed at TakeDownCon Hacking Conference in Dallas, TX - May 2012

Grazed from PRWeb.  Author: PR Announcement.

Everywhere you turn the “cloud” is the latest big thing when it comes to storing data and reducing costs for companies worldwide. Many assume that because their data is being stored offsite it is securely preserved and they no longer have to worry about risk.

“Au contraire. Risk cannot be outsourced,” says professional ethical hacker, Dave Chronister of Parameter Security (St. Louis, MO). Mr. Chronister went onto say, “It’s because of this mindset that hackers are preying upon the cloud and are gaining control of huge stores of information through a single attack” - which is exactly what Mr. Chronister recently did.

Mr. Chronister went onto say, “During a recent cloud security audit, I was able to identify a zero day exploit and within minutes gained access to the cloud sphere and every system that was on that cloud—giving me complete control. Needless to say, the client was shocked because they were touting their cloud offering as 100% secure.”...

Fundamental Elements Of Cloud Computing Security

Grazed from CloudTweaks.  Author: Florence G. de Borja.

Cloud security or cloud computing security evolved from information security and includes a wide set of controls, technologies, and policies used to protect the associated infrastructure, applications, and data of cloud computing. It is not related to the cloud-based security software services or commonly referred to as security-as-a-service.

Security issues related to cloud computing can either be security issues experienced by end users or security issues experienced by cloud suppliers. In general, cloud providers must make sure that what they’re offering is secure and their customers’ applications and data are also protected. The client, on the other hand, must ensure that the cloud supplier has the appropriate security implemented in order to protect his data and applications. Because of virtualization, customers of public clouds have growing concerns regarding the clouds security primarily because virtualization has changed the relationship between the hardware and the operating system. Additional concern about the virtualization software, with a tendency to be compromised, makes users wary about the capability of cloud computing to be secured...

Data Security and the Cloud: Get Up to Speed

Grazed from NewsFactor.  Author: Editorial Staff.

Most people are wary of electrical devices that don't carry a seal of approval from Underwriters Laboratories, or a bank that isn't FDIC insured. Wouldn't it be great if there was something similar that businesses could rely on when choosing a cloud computing vendor?

With the marketplace still evolving, however, there isn't a single "thumbs up, thumbs down" standard for cloud security. Yet business technology leaders still have to make the right call on outsourced IT vendors and the integrity of data centers they use to deliver information to the cloud. The dilemma: many decision-makers are unfamiliar with or lack confidence in choosing the best services to make those assessments...

Cloud Computing: Dome9 Security Addresses RDP Cloud Server Vulnerability

Grazed from Sys Con Media.  Author: Pat Romanski.

Dome9 Security on Thursday announced that its cloud security firewall management service protects cloud servers from serious cloud server security threats, including the recently publicized Microsoft Remote Desktop Protocol (RDP) vulnerability. Dome9's cloud security service that automates firewall management eliminates the tactical response to both known vulnerabilities, and vulnerabilities yet to be discovered, and delivers a strategic approach to securing cloud  servers.

Roy Feintuch, Dome9 CTO and Co-Founder, observed that "Hacker kits are already available for download that make it easy to identify and exploit this vulnerability on any Windows cloud server."...

Cloud Computing: 3 Big Security Themes At Black Hat Europe

Grazed from InformationWeek.  Author:  Matthew J. Schwartz.

Want to succeed at security? Then lose the perfectionism, stay skeptical, and treat new technologies, including the cloud, with caution.

Those were three common themes that emerged during last week's Black Hat Europe conference in Amsterdam. Of course, the annual gathering also featured plenty of hardware hacking, details of new bugs in everything from SAP to Cisco VoIP systems, all-day technical training sessions, and loving tear-downs of Apple iOS and Google Android mobile operating systems...

But throughout many of the sessions these three themes--along with corresponding admonishments and warnings--were consistently voiced:

1. Forget Perfectionism. Cryptographer Whitfield Diffie, in his keynote speech opening the conference, highlighted a persistent challenge faced by information security practitioners: they get no credit for all of the attacks they successfully repel. "Even when defense has done its job well, it is blamed for doing anything other than doing it perfectly," he said. But who has the time--or money--for perfection? Instead, businesses must emphasize getting something in place that's good enough to do the job.

One case in point involves Bradley Manning, who allegedly leaked confidential government memos to WikiLeaks. "In one sense, very clearly, for the [Department of Defense] it is a security failure," he said. But what really happened? Foreign adversaries didn't break the Pentagon's high-grade cryptography, crypto equipment, or key management setup. Instead, the attack hinged on a single insider who already had access to the materials in question.

"A variety of people who designed the system should say, we did a pretty good job of that. We had an awful thing happen, but it's something that the opponents can't mass produce," Diffie said. In other words, almost any security can be defeated. But just how gracefully does it fail, and how difficult or expensive would it be for an attacker or attackers to successfully repeat the effort?

2. Keep Cloud Security In Perspective. Avoid the cloud? Hardly. As long as it offers lower costs and better ease of use than traditional on-premises systems, that's never going to happen. From a security standpoint, however, cloud architecture isn't always ideal, and thus it demands strong doses of security skepticism for anyone who's called on to secure business data that's stored there. 

"What I find interesting is that Web security bugs are existing with companies that we're pretty sure know what they're doing," said Felix "FX" Lindner, head of Recurity Labs in Berlin, in an interview at Black Hat. "Even Google has issues doing that," he said.

In other words, it's tough to get security right in the cloud, not least because clouds aren't static. Developers keep pushing new code, as do business partners, plug-in providers, and everyone else who's tied into the cloud ecosystem. "The inherent problem with cloud is it's a moving target," he said. Furthermore, just one coding error in any of that code might be exploited by an attacker to gain access to a cloud-based target.

That constantly evolving code base may also not be protected with extra layers of security. In fact, the opposite is most often true. "We worked on privilege separation in the operating systems for years and years--don't work as root, and stuff like that," said Lindner. "But the cloud does it, and sometimes there's just one account, or password." In such scenarios, attackers may need to compromise only one credential to gain the keys to a business's cloud kingdom.

Some cloud providers, however, are better than others. "Ridiculous as it might sound, I think Microsoft is doing it right with'We're using the secure development lifecycle, and we don't do anything without SSL,'" said Lindner. "I don't understand why any Google functionality is available via HTTP; it's not like they don't have the computer power to do it all in HTTPS." Indeed, if the cloud remains hard to secure, why aren't cloud providers offering as much out-of-the-box security, by default, as possible?

3. Beware Free Lunches. Whether it pertains to cloud security, the challenge of hardening mobile devices, or the speed with which vendors patch, Black Hat presenters urged skepticism: trust nothing, verify as much as possible, and above all, get working security in place quickly.

For a profession that tends to reward paranoia, however, many conference attendees appeared to arrive without their skepticism intact. The well-known first rule of Black Hat, notably, is to never trust the conference's wireless network, since it's more than likely that someone will be sniffing your packets or attempting to own your mobile device. Accordingly, deactivate Bluetooth, and beware Wi-Fi--especially hotspots with names such as "LEGITFREEWIFI."

Otherwise, you may end up on the wireless router with that SSID, which happens to be owned by Steve Lord, a director at information security consultancy Mandalorian. Lord brought an extra router with him to Black Hat Europe, then used dsniff to log the credentials that flew across the router. "Weaponizing hotspots is fun," he said in his Black Hat Europe presentation.

Any "should have known better" free hotspot takers? He had more than a few, including one apparent conference attendee who used the hotspot to telnet into his Cisco router--username: "Cisco," password: "Cisco." "But I've no way of knowing if someone was just messing with me or they really logged on, as dsniff didn't log the full session, just what was sent," said Lord in an interview.

Thankfully, Lord also said he would name no names and had deleted all of the collected data, noting that it was lucky he wasn't running an "evil mobile coffee hotspot."

Of course, it was alarming to see information security professionals fall for what should have been an obvious trick. The moral: "If something at a security conference looks too good to be true ... don't connect to it," Lord said. Those are words to live by--and not just at security conferences.

Coping with the Complexity of Cloud and BYOD Security

Grazed from IT Business Edge.  Author: Michael Vizard.

Thanks to the rise of cloud computing services and the bring-your-own-device (BYOD) phenomenon, there’s a lot more nuance these days involving the securing of mobile computing devices.

While many organizations are still debating the merits of BYOD, companies that have embraced BYOD are finding that BYOD presents a number of challenges that go well beyond access. For example, should an end user be able to access personal applications such as games over the corporate network? And should organizations apply different levels of granular policies across different classes of devices owned by the same user?...