'Instant noodle' mindset undermines cloud security
SINGAPORE--Businesses are too quick to jump on the cloud computing bandwagon and not asking the right security questions before deploying, an industry observer has pointed out.
Such "instant noodle" mentality, where organizations want to quickly roll out their cloud deployments at the expense of security, is the "biggest mistake" in the era of collaboration and connectivity, said Anthony Lim, evangelist and representative of the International Information Systems Security Certification Consortium, or (ISC)2. He is also Asia-Pacific director for security solutions at IBM Singapore's Rational Software business unit.
Speaking at a security conference here Tuesday organized by market analyst IDC, Lim noted that cloud security considerations typically cover three areas: confidentiality, integrity and availability. However, he said, not enough attention is paid to the first two aspects.
"The No. 1 concern of computer security on the cloud is "a"--availability. [Businesses are] scared of downtime...[so they think:] 'the hell with data loss' [but] they should be more interested in the 'c' and the 'i'," he said.
Software the weak spot
Even with security tools in place to protect the cloud environment such as firewalls, intrusion prevention systems and encryption as well as measures such as regular audits or penetration testing, Lim added that organizations should not be lured into a false sense of confidence as "something is still out there".
Instead of attacking the infrastructure, hackers are focusing their efforts on the software layer which makes applications the "soft spot" of cloud computing, he said.
"Applications can be crashed to reveal source, logic, script or infrastructure information," he explained. "Applications can be compromised, applications can be hijacked, applications can be manipulated to reveal what it is not supposed to reveal. This is what is happening today."
He noted that malicious hackers are successful because, among other factors, it is "impossible" to write bug-free code or subject hundreds of thousands lines of code to a manual qualitative analysis. On top of that, he added, many companies do not have an application security QA (quality assurance) policy in place.
To further illustrate his argument, Lim noted that unvalidated input, broken access control and buffer overflows were among the 2009 list of top 10 critical Web application security issues highlighted by the Open Web Application Security Project.
Given that traditional security appliances cannot stop application attacks, organizations must then ensure the application is able to "defend itself", he pointed out.
To do this, the application must be written robustly and checked thoroughly for vulnerabilities and logic errors. On top of that, Lim said security testing should be conducted at the pre-production or production stages as it is too costly to do so only after the application is completed.
An IDC cloud computing poll conducted in April 2010 found that less than 10 percent of the 600 survey respondents from Australia, China, Hong Kong, India, Korea and Singapore were confident their enterprise security measures would be able to address cloud security.