Security Lessons in the Cloud: PWC Interview
Gary Loveland, a principal in PricewaterhouseCooper's advisory practice and head of the firm's global security practice, discusses the latest in cloud security issues.
Tue, February 01, 2011
CSO — CSO recently interviewed Gary Loveland, a principal in PricewaterhouseCooper's advisory practice and head of the firm's global security practice, about the latest in cloud security issues. Loveland has functioned as a data security officer and has recommended and implemented security strategies in large-scale business environments.
CSO: What do you consider to be the most serious security threats related to cloud computing?
Loveland: One of the most serious security threats to cloud computing is the fact that it is still an emerging technology, and even savvy IT leaders may not fully understand how the multiple layers of technology that comprise the "cloud" work together. Leveraging use case scenarios about specific risks and threats can be very helpful, so that [executives] can see more clearly where they are at risk and better understand how they can mitigate it. For example, multi-tenancy environments pose a threat at several layers, such as the complexity of the rule sets that drive routing and access to domain resources. A misconfiguration can result in unauthorized access to privileged information.
CSO: Are there any emerging threats/vulnerabilities with the cloud that you find particularly disturbing?
Loveland: One of the most insidious emerging threats to the cloud is targeted malware. Cloud infrastructures with multi-tenancy environments provide large and lucrative targets for malware. Cyber criminals choose to attack targets where their efforts can yield the highest benefit, and large cloud providers are big targets with potential treasure troves of data than can be sold on the black market. Further, cloud providers are often connected to many corporate networks and, if penetrated, provide a good launching point for distributed attacks. Application vulnerability injection exploits are the most dominant path of attacks. While there is no "silver bullet" that can completely secure an application, risks can be mitigated by applying proper security controls at each layer of the architecture. Also, many cloud providers incorporate security tools -- such as static code analysis tools at the PaaS layer -- to remedy the gaps in a layered security approach.
MORE ABOUT CLOUD SECURITY
- 2010: Security for large-company cloud providers
- 2010: In security outsourcers we trust
- 2010: Akamai releases 'game changing' cloud-based payment service
- 2008: Cloud security strategies: Where does IDS fit in?
CSO: In your opinion, is the public cloud safe enough to be used for business applications and information, or do service providers still have work to do to adequately protect data?