July 11, 2011 CLOUD COMPUTING, CLOUD SECURITY

Cloud Computing Security Risks – More Thoughts to Ponder

Many companies greatly underestimate the security issues in the cloud and end up trying to protect their servers only with a firewall, if even that.  Because the cloud is being approached as a way to save money by reducing hardware rather than by improving efficiency, the idea of deploying security in the cloud is too often overlooked as an expensive and unnecessary luxury.  This is heaven for the hackers, who couldn’t ask for anything better than an environment full of servers that aren’t protected.

When Network Box started operations 11 years ago, security was generally seen as a firewall and, maybe, antivirus on the workstations.  Over the years we have been telling our customers that this is not enough.  IDS, IPS, and several other gateway protections have emerged. Network security today can be very strong; but too many companies are not adopting the same at the virtual level.

For one thing, in the virtual world you can’t install your own device.  So you need to use what is available as a virtual solution.  Some companies have virtualized their systems already; Network Box for example has a completely virtual version of its award winning hardware based solution.   The two versions are identical under every aspect, including managing the system.

But most of the other offers, which customers can manage themselves, are just firewalls.  And this poses a problem and a risk.  A firewall is only a starting point, and definitely not the “entire” security you need to protect a network.  IDS, IPS and much more is needed, just as it is in the physical world.

One solution we have seen does not even include the ability to create an IPSEC VPN.  You need to install your own open source code, compile it, configure it.  Where are the savings when your people need to spend so much time securing everything?  And so it happens that security becomes secondary because it is seen as too expensive to be done properly.

What makes matters even worse is the generalized lack of appropriate processes and procedures to deal with the cloud.  When you move your data in the cloud, you need to ensure that access controls are as strong as they can be; you also need to reinforce your database even more than when you have it in house; and you need to define very clearly who has access to what and why.  The same processes and procedures you use inside your company need to apply to the cloud.

Because most of what is hosted in the cloud is servers running databases or backups, too often we see connections from the company to the cloud made via RDP, without any form of protection.   My major concern is RDP exposes a login account to the Internet.  And hackers have all the time they want to conduct any form of exploit – this could be a brute force password attack, but most likely it will be some sort of malformed packet that will run arbitrary code on the server.  RDP should never be opened to the Internet at large.  If no other option is available, it should at least be restricted to well specified source addresses.

The best way to protect your cloud is to adopt an integrated firewall/IPS/VPN solution; this will deliver the best security available in traditional environments, and allow for full protection of the cloud servers and data.  Connection from the company’s network to the cloud should never be made other than through a VPN.  Inbound access from the Internet to the servers should be tightly controlled, and allowed only from specific IPs if possible, and only if and when necessary.

Access outbound, to the Internet, should be controlled as well by opening only the ports that are really needed, which in most cases will be only domain, http, https and maybe a handful of ports to reach some authorization or authentication server, if really necessary (these should be restricted to the IPs of the remote servers).

The bottom line is that too many companies are adopting lackluster security postures in the cloud because they are trying to contain costs.  In doing so they are putting their data in danger.  At a minimum, their servers could become either zombies of botnets, or command and control centers of the same.  But they could also lose their data and this could compromise the sheer existence of their company.

Do not underestimate the importance of security in the cloud; it is still your data, and it is still your company that could be at risk.