In-Depth

Top Security Threats Still Plaguing Enterprise Cloud Adoption

Cloud usage is rising and so are the number of threats to the security and privacy of your organization's information.

• By John K. Waters
• 10/28/2014

As cloud computing moves beyond the early-adopter stage, security and privacy concerns and the inherent risk of moving assets off-site are not just fears -- they're real. Uncertainty about data security and privacy slowing the adoption of cloud computing existed before last year's revelations by Edward Snowden of covert government surveillance, but the scope accentuated skepticism, coinciding with the rise of cyber attacks from around the world.

"Edward Snowden's revelations were really a wake-up call for the industry about what the government can do with your data," says IDC analyst Al Hilwa. "And if the government can see your data, who else can? It's really not surprising that security concerns have slowed enterprise adoption."

Those fears notwithstanding, they're unlikely to put a major dent in projected adoption of public cloud services in the coming years. Gartner Inc., for example, predicts cloud computing will constitute the bulk of new IT spending by 2016, and that nearly half of large enterprises will have hybrid cloud deployments by 2017. However, the results of a recent survey by U.K.-based communications services provider BT Group of IT decision makers in large U.S. companies underscore a contradiction: 79 percent of respondents said they're adopting cloud storage and Web applications in their businesses, but they also report their confidence in the security of the cloud is at an all-time low.

Top Security Threats
The lack of confidence is with good cause. The Cloud Security Alliance (CSA) has identified what its researchers believe to be the top nine cloud security threats. Data breaches top that list, dubbed "The Notorious Nine". Also on that list are data loss, service traffic hijacking, insecure interfaces and APIs, denial-of-service attacks, malicious insiders, cloud services abuse, insufficient due diligence, and shared technology vulnerabilities. The company emphasized those risks at a three-day conference in September hosted jointly by the CSA and the International Association of Privacy Professionals (IAPP).

Not on that list, but another major risk, is the ease with which employees can and typically do bypass IT departments when using cloud services, says Jim Reavis, founder and CEO of the CSA. Today, anyone can use a credit card to spin up a virtual machine on Amazon or Microsoft Azure, set up a SharePoint instance via Office 365 or another third-party provider or by using free services such as Box, Dropbox, Google Drive or Microsoft OneDrive. Reavis points out that when people bypass IT when using these and other services, it undermines business-level security policies, processes, and best practices, making enterprises vulnerable to security breaches.

Another risk Reavis points to: the lack of knowledge by IT management of the scope of cloud usage in an organization. At the CSA Congress 2014, the group published the results of a survey of U.S. companies, many of which drastically underestimated the number of cloud-based apps running in their organizations. The report concludes, "Cloud application discovery tools and analytical tools on cloud app policy use and restrictions are crucial in the workplace, especially when it comes to sensitive data being used by these cloud applications. With sensitive data being uploaded and shared by these apps with authorized and unauthorized users, policy enforcement becomes a major role in protecting your data."

The report estimated with more than 8 billion Internet connected devices, a growing number of businesses may own data, but no longer own their infrastructure. "A few years from now, that 8 billion will become a quarter trillion," Reavis says. "If we lose ground on privacy and security today, we'll have a very hard time getting it back. That creates a mandate to embrace the tools and technologies that are emerging to manage and protect these resources."

The proliferation of all those devices and the bring-your-own-device corporate culture has resulted in an enterprise that's more difficult than ever to protect -- cloud or no cloud, says C.J. Radford, VP of Cloud at data security company Vormetric Inc.

"The perimeter has failed or is failing, given that data is now everywhere," Radford says. "If you're only focused on your perimeter, you're going to have a very hard time protecting your data. But that's where the enterprise has traditionally spent its money over the past 10 or 15 years -- essentially, on building a bigger moat. The problem is, you can't build a moat around, well, everything."

Controlling Access
In an increasingly cloud-centric, perimeter-less world, enterprises must concentrate their security efforts on protecting the data itself, Radford says. His company partners with leading cloud vendors, including Amazon Web Services Inc., Rackspace, IBM Corp., and Microsoft, to provide data-at-rest encryption, integrated key management, privileged user access control, and security intelligence logging. Among other things, the Vormetric Key Management Key Agent software works with Microsoft SQL Server Transparent Data Encryption (SQL Server TDE) to help manage SQL encryption.

"Today, it's all about controlling data access," he says. "If you read any of the major breach reports, one of the ways the bad guys are getting access to data is compromising privileged username and password credentials. They're doing it through social engineering, phishing and that sort of thing."

Not surprisingly, Radford is a strong advocate of data encryption, and he also recommends a bring-your-own-key (BYOK) approach. "You should never rely on the provider to manage your encryption keys," he says.

"BYOK means the provider can turn over your data in encrypted form, but it's useless without the key. The other thing it buys you is the ability to `digitally shred' your data. We call that `permanently securing your data.' That's why we always say, rule No. 1 in encryption is never lose your key."

Encryption support is even showing up above the infrastructure level. Azure, Outlook.com, Office 365 and OneDrive, for example, are now supported by Transport Layer Security (TLS), Microsoft announced last summer. The encryption support covers inbound and outbound e-mail, as well as Azure ExpressRoute, which allows users to create private connections among Azure data.

Data encryption and data-centric solutions seem to be especially appealing to enterprises in the post-Snowden era, says Luther Martin, chief security architect for Voltage Security Inc.

Martin believes the primary cloud security concern in the enterprise today is availability.

"If you look at the data, in terms of frequency, most of the cloud incidents so far have been about service outages," he says. "The outages have been relatively short, but they can be terrifying, and there's not much an enterprise can do about them."

He also notes, however, that encryption keys present their own challenge -- namely, keeping track of them. "Effective encryption key management is hard," he says, "and people often don't give it the consideration it deserves. I mean, if you lose a key, you've lost your data, too."

Fortunately, new technologies and approaches to the management of encryption keys are emerging. Martin points to so-called stateless key management, which enables on-demand key generation and re-generation, as an example.

Cryptographer Taher Elgamal, CTO in the security group at Salesforce.com Inc., believes security for the cloud is seriously lagging in an outdated IT model.

"We're not protecting the cloud infrastructure using the cloud," he says. "We're pushing products that were built to secure one environment -- the enterprise network -- to secure a very different environment -- the cloud. Security would be a lot better in a cloud infrastructure."

Shielded Execution
And, yet, as CSA's Reavis has pointed out, demand for enterprise cloud security solutions is driving innovation. Microsoft, for example, has just taken what might prove to be a big step toward securing the enterprise cloud with a very different strategy. In October, the company introduced the concept of "shielded execution," which protects the confidentiality and integrity of a program and its data from the platform on which it runs.

The concept was introduced in a white paper presented at the 11th USENIX Symposium on Operating System Design and Implementation, along with Haven, a prototype of a system that provides this kind of security. According to the researchers, Haven "is the first system to achieve shielded execution of unmodified legacy applications, including SQL Server and Apache, on a commodity OS (Windows) and commodity hardware." The project aims to bypass the inherent risks of a hierarchical security architecture, in which the provider is trusted with full access to user data. The result, they wrote, will move us "one step closer to a true `utility computing' model for the cloud, where the utility provides resources (processor cores, storage and networking) but has no access to user data."

And has the enterprise perimeter really disappeared? The researchers behind the CSA Software Defined Perimeter (SDP) project might beg to defer, if only slightly. They're attempting to define a multi-layer security model to protect the application infrastructure from network-based attacks. The idea is to integrate into a single framework some well-known security strategies, such as network access control, one-time passwords, and digital certificates, with new approaches, such as identity federation, device attestation, and geo-location. Only authenticated access to app infrastructures would be allowed in public and private clouds, as well as traditional datacenters.

If they can pull it together, such a framework could thwart a range of attacks, including DDoS, man-in-the-middle, SQL Server compromises and APT hash theft, says Junaid Islam, co-chair of the SDP Research Group. Islam is also the co-founder and CTO of Vidder Inc., a company that offers its own SDP solution, which generates what it calls "dynamically provisioned perimeters."

"Connectivity in an SDP is based on a need-to-know model in which device posture and identity is verified before access to application infrastructure is granted," Islam explains.

The SDP Working Group sponsored a hackathon at the CSA conference, challenging developers to access a file server in a public cloud protected by the SDP from a different public cloud. The CSA says nearly 11 million attempts have been made as of mid-October. In that month's timeframe the SDP was yet to be hacked.