How can businesses tackle the security challenges presented by a cloud IT environment? Software vendor, CA, dished out some advice at the CA Expo at the Sydney Convention and Exhibition Centre.
CA chief security architect, Tim Brown, outlined the increased security threats facing organisations.
Creation of malware used to be motivated by notoriety but this has changed since Web 2.0 came onto the scene. With more technology, reach, better bandwidth and a connection into almost every home, the “bad guys” learnt how to make money and organised crime has come into the picture, according to Brown.
“Over a short period of time – about a year – the motivation of malware shifted from notoriety to monetary,” he said.
Brown claimed 98 per cent of the malware is created purely for either stealing information off a machine or taking control over a machine and using it as a botnet. Organised crime has also entered the picture and cyber attacks have becoming big business.
“They’re looking, they’re investigating, they are finding threats before the good guys find the threats and they are taking advantage of that,” he said. “It just shows the level of maturity they have.
“... The cloud and virtualisation are really going to make this issue of where data is stored, how data is controlled, even more difficult.”
Companies that chose to adopt external cloud models are presented with risks and opportunities. Handing information and applications over to a third party service provider might seem risky but a service provider may enforce better security practices to protect the data than can be done internally, according to Brown.
“That said, we see a huge number of disparate companies in the cloud,” he said. “We’re seeing a huge expansion right now, especially on the infrastructure-as-a-service (IAAS) area where lots of little companies are popping up, willing to give you machines on demand.
“The problem is, not all these guys are very mature... So it is really buyers beware in some of these instances.”
Overall, Brown saw the loss of control, distrust in service providers and lack of awareness of users in terms of what has gone into their cloud environments as some of the major challenges in this field.
He made the following recommendations to solve the problems:
- Identify what are appropriate cloud solutions by evaluating the people, processes and technology that affect the cloud.
- Evaluate service providers on depth of solution, security, references and viability.
- Understand the risk, create complete compliance plans and including the cloud provider and its solutions. Adjust, not overhaul, security policies to fit a cloud environment.
- Closely scrutinise contracts, service level agreements, availability and disaster recovery plans
- Understand the how the cloud service work and what it can do for the business; become an auditor.
- Move security closer to the data such as through encryption and managing keys appropriately.