Skip Links

Cloud security stokes concerns at RSA

Businesses are adopting public cloud services despite numerous risks

By , Network World
April 23, 2009 02:48 PM ET

Network World - SAN FRANCISCO — Two words — cloud security — dominated discussion and drove the action this week at RSA Conference 2009.

Throughout the event, attendees — who seemed to number fewer than in recent years — were warned of a broad spectrum of potential danger areas from cloud computing services, including data loss and integrity, compliance, liability, reliability, authentication and information life-cycle management.

"It is a security nightmare, and it can't be handled in traditional ways," said Cisco CEO John Chambers in his keynote address. "You'll have no idea what's in the corporate data center."

Cloud security clearly lags, experts said, advising that until it catches up, businesses need to understand the dangers, weigh them against the corporate benefits and exercise aggressive risk management.

But there are promises of help from vendors whose RSA announcements were tailored to address some of the cited cloud shortcomings. Cisco, for instance, announced a cloud-based security service that pulls threat data from around the Internet and pushes it to users.

This is similar to an approach touted at the show by Trend Micro ahead of a formal announcement coming next month. Its OfficeScan client-server suite relies on servers in Trend's network to check the reputations of files, Web content and e-mail rather than relying on desktop protection, which may not be up-to-date.

Similarly, McAfee's CEO Dave DeWalt during his keynote address announced his company's road map toward predictive security, cloud-based sharing of threat intelligence among different categories of security devices to find and block malicious activity sooner than traditional methods.

Network services provider Savvis launched a Web application firewall service based on a choice of Imperva WAF appliances or virtual instances of its software that reside between the Internet and its network. Savvis said it thinks customers comfortable with its software-as-a-service offerings will also embrace cloud-based security.

Arthur Coviello, president of conference sponsor RSA, said that his company's cooperation with Cisco and Microsoft will result in common language to enable the sharing of intelligence about data-loss threats in the cloud as well as within corporate networks.

Nevertheless, defensive measures lag far behind the known vulnerabilities of public cloud computing services, according to customer-driven groups trying to deal with the problems.

During RSA, two major cloud-security groups — one primarily based in the United States and one European — informally joined forces to pressure vendors to do more.

The Cloud Security Alliance (CSA) used the show as a platform to launch its efforts to standardize security for cloud computing with the release of its "Security Guidance for Critical Areas of Focus in Cloud Computing", an 83-page document detailing 15 areas of security concern.

Later that same day, the Europe-based group Jericho Forum served up an outline of threats it perceives.

Chris Hoff, a security consultant who wrote the architecture section of the CSA paper, shuttled from that group's launch over to the Jericho Forum event to support its effort, which he says overlaps very closely with that of CSA. "Your concepts make sense," he said.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News