Contrary to popular perception, cloud computing does not make companies more susceptible to cyber attacks.
In fact, the dynamic nature of cloud computing architectures makes it more difficult for hackers to break into corporate networks, said Jim Reavis, co-founder of the Cloud Security Alliance. He was speaking at a panel discussion held on the sidelines of the CloudSec 2012 conference last week.
Citing the experience of the U.S. Central Intelligence Agency (CIA), Reavis noted that the CIA, which faces advanced persistant threats from foreign governments and other perpetrators, is able to move data across its cloud architecture to mitigate any risk arising out of a cyber attack.
“That, however, is predicated on efforts by cloud service providers to provide quality baseline security”, Reavis said.
Timothy Grance, senior computer scientist at the U.S. National Institute of Standards and Technology, noted that security threats will always exist in any computing model.
“If you’re poorly run before the cloud, you’re probably going to be poorly run with the cloud,” he said. “It’s about people doing all the right things they’re supposed to do, and knowing how to make trade-offs among the risk choices that you’re making.”
The panelists also highlighted key differences between securing traditional IT and cloud infrastructures.
“In the traditional data centres, you usually have firewalls and agent-based security, but as you move to a virtual infrastructure, you have to protect virtual machines across data centres,” said Nicholas Tan, country manager of VMware Singapore and Philippines.
Grance said compared with traditional data centres, companies may not have full visibility into a cloud service provider’s infrastructure.
“You are, in many ways, trading control for efficiencies, so challenge vendors to show you how they are protecting your brand and reputation,” he said.
Reavis said securing data on the cloud requires companies to know where sensitive data is held and building security parameters around that data. Increasingly, data would have to be encrypted as it becomes more accessible on mobile devices, he said.
Grance noted that security professionals would also have to align their skills with a service and data oriented security model, rather than one based on physical IT infrastructures.
“What’s valuable is the data, and not the machines,” he said.