Security: The Biggest Holdup to Cloud Computing
March 28, 2011
lack of understanding about security risks is one of the key factors holding back cloud computing.
Report after report after report harps on security as the main speed bump slowing the pace of cloud adoption. But what tends to be overlooked, even by cloud advocates, is that overall security threats are changing as organizations move from physical environments to virtual ones and on to cloud-based ones.
Viruses, malware and phishing are still concerns, but issues like virtual-machine-launched attacks, multi-tenancy risks and hypervisor vulnerabilities will challenge even the most up-to-date security administrator. Here are 5 overlooked threats that could put your cloud computing efforts at risk.
1. DIY Security
The days of security through obscurity are over. In the past, if you were an anonymous SMB, the threats you worried about were the typical consumer ones: viruses, phishing and, say, Nigerian 419 scams. Hackers didn’t have enough to gain to focus their energy on penetrating your network, and you didn’t have to worry about things like DDoS attacks – those were a service provider problem.
Remember the old New Yorker cartoon: "on the Internet no one knows you’re a dog"? Well, in the cloud, no one knows you’re an SMB.
"Being a small site no longer protects you," said Marisa S. Viveros, VP of IBM Security Services. "Threats come from everywhere. Being in the U.S. doesn’t mean you’ll only be exposed to U.S.-based attacks. You — and everyone — are threatened from attackers from everywhere, China, Russia, Somalia."
To a degree, that’s been the case for a while, but even targeted attacks are global now, and if you share an infrastructure with a higher-profile organization, you may also be seen as the beachhead that attackers can use to go after your bigger neighbors.
In other words, the next time China or Russia hacks a major cloud provider, you may end up as collateral damage. What this all adds up to is that in the cloud, DIY security no longer cuts it. Also, having an overworked general IT person coordinating your security efforts is a terrible idea.
As more and more companies move to cloud-based infrastructure, only the biggest companies with the deepest pockets will be able to handle security on their own. Everyone else will need to start thinking of security as a service, and, perhaps, eventually even a utility.