I'm a Blogging Idol enthusiast who also does consulting for a living. I began my career as a railway data communications engineer. After working for a bank for 7 years, I took up the consulting challenge and I still find it challenging! I try to keep in touch with a lot of different I&IT topics but I'm usually working in areas that involve service management and procurement. I'm back into ISO standards development - in the area of cloud computing (ISO JTC1/SC38). I'm starting to get more interested in networking history, so I guess I'm starting to look backwards as well as forwards! My homepage is http://www.concon.com
This picture comes from Beartoons
As a proponent of the old OSI Seven Layer Model for network protocols, my ears/eyes always perk up when I see anything described in terms of 7 (layers, or sections, or topics). Hence my interest when I saw an article by Shane Schick in ComputerWolrd Canada (May 2011) referencing the cloud’s 7 deadly sins. This article was derived from a UK report from the Information Security Forum
For those who don’t want to follow the links, here are the 7 deadly sins:
- Ignorance: It is often the case that very few employees will actually be aware that their organization has adopted cloud computing. Ignorance, however,
is not a defense. Knowing if your organization is in the cloud, and what this means for your business, is essential. - Lack of knowledge: If you buy a cloud service, you’re normally accountable to their terms and conditions. Know what you are signing up to. Know what the
terms and conditions are, and keep hold of the end user license agreement. - Doubt: Are you able to audit your cloud supplier? Ensure that they are doing what they say they are by confirming the right to audit.
- Trespass: Which laws apply to this cloud agreement? Consider geography and familiarise yourself with which laws you are breaking and which you are
complying with. Be able to demonstrate that you are not trespassing. - Chaos and disorder: Know the sensitivity and the criticality of your information. People put data in the cloud because it is easy and cheap – they
don’t worry about its sensitivity. Ensure you understand how the data is stored, backed-up, and destroyed. - Conceit: When the CEO decides to go to the cloud, know whether you are actually cloud-ready. Most infrastructures are not ready for the cloud, indeed
we’re often still struggling with VPN. - Complacency: Everyone thinks that the cloud will never break, that we can put pictures on Flickr and they will be there forever. Remember, there is a
metal underneath and the connection is somewhere. There is a single point of failure.
Too bad that some people think there are more than 7. See the article by Jay Fry of Cloud Commons
There was also another article from Kathleen Lau on March 23 that describes the 7 deadly sins as identified by the Cloud Security Alliance. To quote the CSA….
CSA, in collaboration with Palo Alto, Calif.-based Hewlett-Packard Co., listed what they called the seven deadly sins of cloud security. The research is based on input from security experts across 29 enterprises, technology providers and consulting firms.
1. Data Loss/Leakage: There is not an acceptable level of security control for data in the cloud, said Reavis. Some applications could be leaking data as a result of weak API access control and key generation, storage and management. And, also data destruction policies may be absent.
2. Shared Technology Vulnerabilities: In the cloud, a single misconfiguration can be duplicated across an environment where many virtual servers share the same configuration. Enforce service level agreements (SLAs) for patch management and best practices for network and server configuration.
3. Malicious Insiders: The level of background checks that cloud providers perform on staff may differ compared to how enterprises usually control data centre access, said Reavis. “A lot of them do a good job but it is uneven,” he said. Perform a supplier assessment and outline a level of employee screening.
4. Account, Service and Traffic Hijacking: A lot of data, applications and resources are concentrated in the cloud where, with weak authentication, an intruder can access a user account and get at that customer’s virtual machines, said Reavis. Proactive monitoring of threats and two-factor authentication is advised.
5. Insecure Application Programming Interfaces: It’s important to perceive the cloud as a new platform and not merely as outsourcing when it comes to developing applications, said Reavis. There ought to be a vetting process surrounding application lifecycles, where the developer understands and applies certain guidelines regarding authentication, access controls and encryption.
6. Abuse and Nefarious Use of Cloud Computing: The bad guys are probably more progressive than the good guys in how they use technology, said Reavis. Hackers are seen very quickly applying new threats, combined with the ability to easily scale up and down in the cloud. All it takes is a credit card.
7. Unknown Risk Profile: Transparency issues persist concerning cloud providers. Account users only interact with the front-end interface and really don’t know which platforms or patch levels their provider is employing, said Reavis.
Shane, in his article, challenged us to choose our top sin. Maybe we should first choose our most favoured set of sins, then choose the top sin!! Anyone care to choose their favourite?
Pingback: annonce gratuite