Posts Tagged ‘Security’
It seems most companies understand opportunities that cloud computing solutions and services open up for them, especially for SMBs. So now the question sounds like: how to choose a good provider and the right one for your company and to what extend cloud computing services should be used. The complexities are numerous – issues such as security management, attack response and recovery, system availability and performance, the vendor’s financial stability and its ability to comply with the law, all need to be considered. There may be a number of advice and tips formulated with this regards (some are taken from CIO article):
1) Choose trusted providers. Today it exists a number of cloud tech companies to choose from and new ones go live each month. Despite this for cloud services it’s better to stick with trusted and solid companies. To name a few: Microsoft, Google, Intuit, Dropbox, Apple, Amazon, Salesforce. These are companies with deep pockets and dealing with security, and your data is an important part of their business.
2) Distribute between free and paid accounts. For storing financial or alike information paid accounts are preferable. For less critical data and applications free accounts of big trusted cloud service providers may work well. For instance, Google can afford to offer decent free accounts because their business is well-established and their free services just act as bait aimed at attracting new users and then gently pushing them towards paid services and premium accounts.
3) Select the right apps and data for the public cloud. Some businesses, mainly start-up companies, begin using the public cloud for all applications, including mission-critical apps and their data. However, public clouds are neither for every organization nor for every application: what can be subject to the default security provided by most cloud service providers are websites, application development, testing, online product catalogs and product documentation.
4) Evaluate and add security if it makes sense. CSPs can provide significantly different levels of public cloud security. The ISO/IEC 27000 series of standards provides guidelines for evaluating this. If necessary security measures that are used in an organization’s internal private cloud may need to be extended to their public cloud instances, and some cloud products like CloudSpan allow doing this.
5) Get use of the third-party auditing services. When comes to security compliance, organizations need not simply take the CSP’s word for it. Third-party auditing services can be used to audit and then compare to the promised ones.
6) Add authentication layers. Most CSPs provide good authentication services for public cloud instances. Some products like Halo NetSec can help add an additional layer of authentication. Before doing this you need to weigh the benefits of better public cloud security against the costs of increased network latency, possible performance degradation and additional points of failure.
7) Weigh additional security effect on integration. Adding on top of default security by CSP may affect overall application performance and identity and access management. It’s especially important to consider if you work with mission-critical application that need to integrate with other business applications.
8) Make security guarantees from SLA clear for yourself. Public cloud security guarantees with CSPs should be clearly stipulated as service level agreements in the contract, so make sure that transparent monitoring and reporting functions are available to you as a customer as well as security processes, procedures and practices are transparent and verifiable so that you may rely on this information.
9) Streamline logging and monitoring. Comparing one CSP’s logging and monitoring practices with another before you sign a SLA may reveal subtle differences in the security that’s provided so it’s another key to ensuring public cloud security.
10) Add encryption. You may want to employ your own encryption instead of or in addition to the ones provided by the CSP. A number of installable products or SaaS vendors can do this type of encryption on the fly. (VPN-enabled cloud instances fall under this category of augmented public cloud security.) When this happens, only the customer and the third party know the key; the CSP does not.
11) Spread outages risk with multiple even redundant CSPs. Despite cloud provisioning tools these days come already integrated with leading CSPs, it’s possible to spin up additional instances of servers with multiple CSPs automatically on demand: they are turned on if average CPU utilization reaches a certain threshold and turned off once utilization drops. Also when spinning up additional instances, it may make sense to use different CSPs in a round-robin fashion.
Thus, as you may see, experience of using cloud services may be adjusted and improved through following some advice. What’s crucial is finding a balance between cloud security and performance. Naturally there’s always a tradeoff when adding layers of security may be at the expense of application running slower and potentially adding points of failure. Figuring out the right balance between security and performance, though being difficult, is a must-have to run a strong business today.
Helen Boyarchuk – Business Development Manager (LI page)
Helen.Boyarchuk@altabel.com | Skype ID: helen_boyarchuk
Altabel Group – Professional Software Development
When you say “cloud” somebody’s imagination draws a sky with dozens of funny-shaped airy clouds, IT folks’ mind will recall companies’ names like Microsoft, Google, Dropbox, Amazon. Indeed, cloud computing has contributed to the business world tremendously, still there is much skepticism around such kind of services, reliability and security of remote clouds. Naturally when you store all your data in the cloud you “shift” control over it and rely on a cloud provider – here your fears of data possibly to be lost, damaged, leaked or hacked, services and sites to be kicked offline, come on to the stage. Legally according to the agreement between you and provider the service provider would be responsible should any of the aforementioned occur, but at the end of the day the possible losses endured by the business resorting to the cloud are greater than the cloud service provider’s since such actions could result in the complete destruction of the business. So a decision of moving to the cloud is a serious one.
Interesting that more than a third (36%) named security a main issue holding back uptake for them. This concern is contradictory due to a number of factors:
Firstly, the whole point of cloud computing is that the applications and data being used are sitting on multiple servers at once in data centers located around the world. Thus attacking one part of the infrastructure becomes virtually a waste of time as redundancy will always ensure access to this data. It means attacking data or performance of a targeted company becomes almost “mission impossible”.
Secondly, it makes sense to view security matter from the perspective of the capabilities of the cloud computing systems versus ones of internal software systems. How high are chances that a large cloud provider won’t have far more resources to direct at security than the average enterprise? The infrastructure of cloud computing systems is comprised of machinery and technology on the cutting edge of technological advancements in addition to the far-advanced skills and knowledge of their workers – doubtful that this is accessible to an average business or computer user. Therefore, the business has a greater chance of loss handling the company data and software internally. As more and more organizations make the move into the cloud, it’s certain that safety and security measures only increase.
Experts say a more reasonable concern relates to resilience and outages, not data breach. Outages of Amazon or Microsoft are regularly reported. They can be caused by freak weather like for instance happened to Amazon Web Services resulting in such popular services as Instagram and Netflix being pushed offline for a number of hours. Instagram’s outage hit the headlines due to a short period of downtime, but what if smaller companies using cloud providers face their sites knocked offline – how high up their cloud provider’s list of priorities will it be to get it fixed? Well, in this case for web sites it’s of vital importance to be hosted with multiple cloud providers since this makes sites virtually almost unassailable experiencing close to zero downtime.
Worries about legal compliance are probably more justifiable. Under the Data Protection Act, organisations have to agree that personal data will not be moved outside a particular group of named European countries, but a cloud provider may be storing data in multiple jurisdictions. This problem isn’t insurmountable (personal data can be anonymised, for example), but it does make the decision to move to the cloud a more complex one.
To conclude, cloud computing service providers treat security, availability, privacy and legal compliance issues very seriously since this is the essence of their very business. СSPs mostly have better machinery, technology and skills and invest more in their further advancement than an average enterprise could afford itself. Loss or damage of any data by a cloud services provider or long downtime does not only implicate a possible demise or huge direct and indirect losses of the business to which the service was provided, but can be partially or completely fatal for the cloud computing service business and its reputation. Cloud services providers are legally implied with massive liability which is very incentive for them to preserve a high quality of their services and treat issues with due diligence.
Or don’t you agree?
Helen Boyarchuk – Business Development Manager (LI page)
Helen.Boyarchuk@altabel.com | Skype ID: helen_boyarchuk
Altabel Group – Professional Software Development
Posted April 30, 2012on:
More than 600,000 Macs have been infected with a new version of the Flashback Trojan horse that’s being installed on people’s computers with the help of Java exploits. How does this infection affect Apple’s reputation for security? Let’s see what LI members think on this point:
“Not in the slightest. Most of Apple’s users wouldn’t know what Flashback is, nor would they care. Did Lulzsec’s hack of Sony’s PSN have any effect on Sony users? Not a bit.
If there will be any change it may be from Sysadmins realizing that there’s no such thing as a perfectly secure OS. Good education on how to use systems applies equally to Mac and Windows users – always has. The OS may be slightly better, but there are still multiple different apps and other attack vectors that can be used – following bad links probably the top of that list.”
Technical Project Manager & Info Sec Architect
“I think it is funny. Most people still think that only Microsoft software gets viruses.”
Real Time Card Stunts for sports teams & sports events
“Mac OS X has a great reputation for security in general, but it’s not perfect. Most of the malware we see exploit vulnerabilities in other platforms installed on top of OS X like Java and Adobe Flash. The latest, LuckyCat even comes in through Microsoft Word 2011! Apple’s response may have been slow, but it was definitive. Apple has eliminated the threat with standard software updates. It’s just a question of time before the current variant of Flashback is extinct.
As for Apple’s reputation, it will be a bit tarnished by the outbreak because most people don’t understand the true mechanism of these attacks. That being said, Since Apple controls when Java gets updated for OS X, Apple would do well to keep Java updated on a more regular basis. They allowed this vulnerability to exist for Mac OS X even when the main Java codebase had already been patched.”
Business Technology Consultant
“I would say that it shows that their OS isn’t inherently more secure, just less targeted, but that isn’t actually what was at play here.
The vulnerability wasn’t in OS X, but rather in the implementation of Java that came with it. Apple manages its own JRE deployment to OS X, and as a result this vulnerability came into play only on Apple’s environment. That vulnerability lends itself well to exploitation, and that’s what happened. Security…real security…was never about how tight an operating system or application is. I mean, that’s a part of it, but there isn’t anything that has no vulnerabilities. And so, the really important thing that determines security is the overarching process and capability to manage those vulnerabilities and deal with them. Microsoft used to entirely suck at this…but now they are the industry leader. Nobody issues patches like they do; theirs is the gold standard. And yes, some of their vulnerabilities go a long time without being fixed, but when I look at how much code comprises Windows these days, and the damage that results if they issue a bad patch, I don’t know that I really want to yell at Microsoft over it. And Apple does worse.”
Power Generation Cyber Security Lead
“I don’t think it affects it at all. Apple has always had a poor reputation for security in terms of providing patches in a timely manner. In terms of overall reputation for security though, the machines have enjoyed a minor user-base for years and thus were not targeted often. Now that the user base has increased exponentially in recent years, one can only expect that the amount of exploits in production for the platform will also rise.
In terms of my own personal feelings on the matter. I still trust my Mac. I still use an industry standard antivirus solution (ClamXav). Most importantly, I don’t surf the types of sites that typically are used to host malware, and watch what I click on. I’ve been pretty happy and virus free for years so no complaints here.”
at Aholattafun Creative Solutions
“It will probably have a small negative effect on the market perception of Apple security but perhaps the real question is will that have any impact on Apple’s business? My feeling is that Apple’s perceived security advantages do not lead to increased sales, but if they ignore the increasing threat to their platforms it could have a significant negative effect in the medium term.”
an Independent Consultant, Researcher and Author
Maybe you have something to add? You’re welcome with your comments.
We are now living in the age of the Smartphone, and as Google has recently proved, there are millions of people getting new phones every single week (over 500,000 Android devices are activated every day!). As the number of users increases, so will the security risks that Smartphones bring to us.
Even though Android and the iPhone are pretty secure, they definitely can be broken and used to spy on people, steal data from the device and for other malicious purposes. The recent Carrier IQ scandal has shown that you don’t even need to know about an app on your phone or approve it for it to be running and transmitting every keystroke to a remote server.
With that in mind, below you may find LI members’ advices that help you keep your Smartphone safe and secure:
«Trusting any individual app for security is questionable. If you have a knowledgeable programmer pal (in mobile, network security) and the source code is available then you can tell with certainty that your Smartphone is secure with an app. You can use that in tandem with a trusted Smartphone antivirus, anti malware, anti root kit software. At least you need to use this if you don’t have source unencrypted code at disposal. If you download from market you may not have source code. Most market operators check for security violations. Despite that
some apps send identifiable customer data for marketing purpose.»
Vinodh Sen Ethirajulu
Technical Lead,ING Institutional Plan Services
«I use the mobile security product from the company that makes the phone and I also have my phone locked using a pattern.»
Senior Sales Representative
«I and all my techy friends, have standard phone securities such as passwords and pins, we have a home record of IMEI numbers and sim references.
As for Apps we all use Preyproject. They have a free version which can secure 3 devices, it can allow SMS or Online activation, which sends reports to your email every 10 minutes with GPS location and WIFI tracking, it can also secure you laptop, if it has a camera, will also email you a picture of the next person using it!! Genius!»
Systems Administrator at MWL Systems
«I do not own a Smartphone because there is no such thing as security with that particular device.»
MicroMentor Volunteer and Founder “Smalltofeds”
«I always prefer to use security product or protection system provided by the mobile company itself as its always doubtful to trust the various security based mobile applications.»
Business Analyst at Algoworks
The security risks that a Smartphone brings with it will only grow in number in the following years, and if you have any sensitive data on your phone (especially if you’re using Google Wallet or some sort of credit card number storage app) or don’t want to fall victim to any scam, you should start getting acquainted with the various security apps and tools available for your handset right now.
Many companies are having great success with cloud computing, and it’s evident that the market continues to grow quickly. Here are three surefire ways to fail with cloud computing and what you can learn from them to avoid suffering that same fate.
First, put the wrong people on the project. This is the most common way that cloud computing development, migration, and implementation projects fail. Cloud computing is a hyped “cool” space. Those who have the most political clout in an IT organization quickly position themselves on cloud computing projects. However, just because they are buddy-buddy with the CIO does not mean they have the architectural and technical skills to make the cloud work for the enterprise. Bad decisions are also made in terms of deciding how to select technology types and technology providers. When you select what’s popular versus what’s a true architectural fit, you shoot yourself in the foot.
Second, security is an afterthought. This means that those driving the project do not consider security and compliance requirements until after deployment. It’s almost impossible to retrofit security into a cloud computing deployment, so the approach and use of technology (such as encryption) should be systemic to the environment. This is a rookie mistake.
Third, select the wrong business problem to solve with cloud computing. The right approach is to pick new application development or existing application migration that is meaningful to the business, but that is not mission-critical. There are two paths to failure here. The first is to pick the “kill the business with a single outage” type of application, put it in the cloud, then pray to the Internet gods that nothing goes wrong. Too risky. The second is to pick a meaningless application that nobody cares about, move it to the cloud, and hope that somebody notices. Too underwhelming. Find something that falls in the middle.
Hope, you’ll find the tips above useful.