Trend Cloud Security Blog – Cloud Computing Experts

What Are the True Dangers of the Cloud?

Posted by Christine Drake in Cloud, Cyber crime, DataCenter, hybrid-cloud, IaaS, PaaS, private cloud, public cloud, SaaS, Secure Data Centers, Securing the Cloud, Security, Threats, Threats from the Cloud, Virtualization Sep 8th, 2011 | 7 responses

We often hear that security and privacy concerns are the main inhibitors to cloud adoption.  But what are the true threats?  Is the cloud really more dangerous than your on-site data center?  I would say that virtualization and cloud computing aren’t inherently more dangerous, but they have unique infrastructure that must be addressed when creating a security foundation. 

There are similar attacks across physical, virtual, and cloud infrastructures—data-stealing malware, web threats, spam, phishing, bots, etc. So many companies are tempted to deploy their security for dedicated physical servers and endpoints on their virtual machines in their data centers and in the cloud.  But although the types of attacks may be the same, how they exploit virtualization and cloud infrastructure can be different.  And conventional physical security will not provide sufficient protection for these environments.

Trend Micro just released a report on the security threats to virtualization and cloud computing, which is posted in the Threat Trends section of the website.  I know I may be biased working for Trend Micro, but this is truly one of the better threat reports I’ve read.  It starts with global adoption statistics for virtualization and cloud environments.  Then it covers security risk specific to both virtualization and the cloud. For example, for virtual infrastructure, the report discusses communication blind spots, inter-VM attacks, hypervisor compromises, and much more.  But it also describes how security solutions should be “virtualization-aware” to provide better protection and to make the best use of virtual resources. For cloud computing, the report starts by discussing the different cloud models and who has responsibility for security, followed by threats to private, public, and hybrid clouds.

The report also weaves in real-world threat examples.  Readers see that these threats are not just hypothetical, but are actually occurring in the wild.  And as the adoption of virtualization and cloud computing grows, cybercriminals will undoubtedly increase their efforts to penetrate these environments.  To help defend against this, Trend Micro also released a Virtualization and Cloud Security Best Practices paper in addition to the threat report.  What use is knowing the threats if you don’t know how to combat them?

  • http://www.facebook.com/people/David-Wheatamyer/100003040127143 David Wheatamyer

    The security question was initially a concern for us embracing virtualization; however, we found this is only true in a public cloud model. Private cloud solutions utilize the existing security model already in place. This helped put it into perspective http://www.vir3.com/blog/cloud-computing-security/

  • http://twitter.com/LamixK Kendrick Lamar

    Are these security issus only for the the home usage of cloudbased system or are they also relevant for b2b clouds, like the ones used by contact centers. Because this company mentions the advantages of their cloud-based contact solution, but not the risks.

    • Anonymous

      I was writing the blog post from a B2B perspective. However, cloud risks also depend on what type of cloud you’re deploying. The threat report discusses the different types of public clouds and the level of control and security liability of the customer based on cloud model. In Software as a Service (SaaS) or Platform as a Service (PaaS) clouds, the service provider is responsible for most security. For contact centers, I believe the company provides cloud-based services and would responsible for the security of the system. I would suggest that you ask them about the security and availability they offer (e.g., what Service Level Agreement (SLA) provisions they offer).

      The customer has more control over security in an Infrastructure as a Service (IaaS) cloud. The service provider offers a VM platform and the customer deploys VMs into this environment. The customer can deploy security on the VM-level. If you haven’t already, I encourage you to read the report to learn more about the cloud models and how you can impact security for your cloud environments.

  • Pingback: Los verdaderos peligros de la nube » blog.trendmicro.es

  • Pingback: Trend Micro Asia Pacific News Library - What Are the True Dangers of the Cloud?

  • http://twitter.com/ElectricCatLtd ElectricCat

    THE QUESTIONS YOU SHOULD ASK BEFORE TRUSTING YOUR DATA TO THE CLOUD

    Information Security Consultancy Electric Cat, and Rickerbys Solicitors, will be hosting a joint breakfast presentation for local businesses on 5th October 2011 in Cheltenham, UK.

    Attendees will learn about the security implications of choosing the cloud from highly experienced ethical hacker James Wootton, MD of Electric Cat, and the legal and contractual issues businesses should consider before signing up to the cloud from Bhupinder Kaler, Solicitor with local law firm Rickerbys.

    Places are free but extremely limited and anyone wanting to attend should email neil@electriccat.co.uk as soon as possible to reserve their place.

  • http://twitter.com/ElectricCatLtd ElectricCat

    WHY CHOOSING THE CLOUD COULD LEAVE YOU FACING A STORM
    By James Wootton, MD, Electric Cat
    31 May 2011

    CLOUD computing isn’t new, despite the hype, but cloud services such as SaaS, PaaS and IaaS have hit the big time with many of the major IT outsourcing companies wanting a slice of the pie.

    Cloud providers offer to lower your IT costs, increase productivity, provide ROI and remove the burden of running and supporting systems such as email, CRM and finance. For the majority of businesses, there are likely to be financial savings and possibly the simplification of some of their current business processes.

    However, Caveat Emptor! Before you reach for your cheque book, you need to consider the consequences of using the cloud, and the potentially catastrophic legal and financial predicaments you could be facing. It’s all about your appetite for risk; will your clients still be happy to remain your clients when it’s all gone wrong? I use “when” rather than “if” deliberately.

    Think about the information you push into the cloud, which may consist of personal, private or sensitive data from your email or CRM systems. There’s a whole basket of legal issues to be considered here, mostly because of the potential for clouds to operate cross-border, but for now I’ll concentrate purely on cyber security issues.

    Opting to use cloud services means you’ve effectively lost control of your data. You have chosen to trust the entity that is now processing and/or storing your data (wherever in the world that may occur). You must then consider the following:

    ● Conduct a thorough risk assessment that can be fed into your information security management system (such as described by ISO27001), allowing you to confidently analyse the new risks introduced to your business;

    ● Ensure that the provider’s procedures and policies give you confidence that they are adequately securing your data. Never be afraid to ask for copies of policies, certifications and evidence that reinforce this;

    ● Consider the implications of any downtime that may occur, and have contingency plans in place for any loss of critical services.

    When it comes to a loss or theft of data, will it be a light shower or a thunderstorm? Historical and recent events (selling of customer details by bank staff, Amazon services being used to hack Sony) would suggest the latter…

    This article first appeared here: http://www.thisisgloucestershire.co.uk/Choosing-cloud-leave-facing-storm/story-12146487-detail/story.html

    http://www.electriccat.co.uk