What are the main benefits & risks associated with using cloud applications?
In my reply, I will focus on the risks since I’m sure that the benefits will be covered extensively by others. The benefits are also discussed so much and so often that they hardly bear repeating.
One of the main risks is that of moving into new and uncharted territory. If you’re moving from a traditional in-house Data Center set-up to a mix of Public/Hybrid clouds and SaaS, your IT department/security teams will be starting from scratch. They won’t know where to secure your enterprise and your data. As a result, they’ll have to do some research since you need to re-do basically all of your risk assessments/threat modeling and then find ways to mitigate and eliminate threats. The “Cloud” has opened up for a whole new segment of security tools such as CASB (Cloud-walls) and Cloud-crypters.
Featured Download: CISO Data Breach Guide
There is also the “critical mass” aspect to consider. Any vulnerability on the hypervisor level (like the recent one referenced here: http://www.itnews.com.au/News/396180,amazon-forced-to-reboot-ec2-to-patch-xen-bug.aspx) will expose a large number of corporate clients to some extent. Where one bug surfaces, I’m willing to bet more will soon arise. Therefore, at any given moment, a zero-day vulnerability in your cloud environment potentially exists.
The bad guys are ROI aware usually, and it’s only a matter of time until they start targeting either the hypervisors or the guys running the hypervisors, similar to the NSA’s targetting of sysadmins. I’d advise interested parties to find ways to mitigate this threat in advance, especially if you’re moving business critical data to the cloud. Be in control of the keys and secure them internally, as Bruce Schneier has repeatedly advised.
Claus Cramon Houmann | IT Security Consultant | @ClausHoumann
To find out more about our panel members visit the biographies page.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.