Cloud technology had a strong start because it followed the same development path as other systems. That path was to develop capabilities and add features to systems with little regard for information security. Over the years, cloud applications have emerged as software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS). Cloud systems are deployed as private, community, public and hybrid models. They are all over the Internet and are accessible by many types of mobile devices.
Over time, many cloud systems have crashed and incurred a variety of problems. Because of this and the fact that many people are not paying attention to these issues I wrote my recent ISACA Journal article, “Cloud Insecurities.” In the article I talk about the threats, vulnerabilities and weaknesses that people have accepted as a way of life and tend to ignore. Many of the article’s observations come from reading the Department of Homeland Security (DHS) Daily Open Source Infrastructure Report and from the Cloud Security Alliance (CSA) reports. To address the cloud problems, my Journal article suggests countermeasures that may or may not have been considered or implemented, and there are some questions that may help organizations think through cloud vulnerabilities.
When trying to develop a secure cloud system, it is important to remember:
- Not all programmers who develop cloud applications and tools have the same training or zeal for perfection.
- Not all cloud service providers (CSPs) run their data centers the same way.
- Not all organizations have the same software update and maintenance policy.
- CSPs may not have all of their systems configured to be perfectly secure.
- CSPs may use different operating systems and vendor software.
- There are criminal organizations and people who are looking for ways to take advantage of the information available on the Internet.
Developers, managers and computer operations should follow best practices and think about how important information security is and how many people are affected by it. The weaknesses in system configurations, product vulnerabilities, and account control and monitoring are not only common outside the cloud but also within cloud applications.
Endpoints, which include mobile hand-held devices, are changing and increasing in capabilities (and vulnerabilities) and the number of applications offered. Since the endpoint applications were developed the same way as cloud applications (i.e., security as an afterthought), they also contain weaknesses and vulnerabilities that criminals will eventually find and exploit. As consumers, it is important to be ever vigilant and also aware that many of the applications that are available have already been infected with malware or soon will be if users click a malicious link or go to an infected website. By loading malicious code onto mobile devices, users invite criminals to obtain personally sensitive information available in the cloud, and, worst of all, create a means by which criminals can access users’ hard-earned savings. So beware the applications you download. They may be your undoing.
Read Larry Wlosinski’s recent Journal article:
“Cloud Insecurities,” ISACA Journal, volume 2, 2015.