How data security can vaporize in the cloud

PHOENIX -- While hosted cloud computing may be all the rage for reducing cost of ownership and management, IT managers say hosted storage services present dramatic security challenges and legal implications that need to be considered.

Arthur Lessard, chief information security officer at toy manufacturer Mattel Inc., in El Segundo, Calif., said during a presentation at Storage Networking World on Wednesday that cloud computing is appealing, even if many end users don't know what the word "cloud" means. For example, many confuse cloud computing with pure server and storage virtualization or simply backing up data to a remote site.

True cloud services should be characterized by grid-architected hosts with central management, applications that can be ported seamlessly from system to system, capacity that is easily provisioned and significant data redundancy, he said.

"We're talking software as a service," Lessard said.

When storage is hosted offsite in a virtualized server and disk array environment, cloud computing presents real limitations around authentication, and auditing - especially auditing of logging. The lack of auditing capabilities may affect the ability to record user logins, administrative actions and data writes, Lessard said.

"What I can't find out is who has been reading the data files, and ... depending on what business you're in, that might be important," he said.

There is also not usually any indication of login anomalies, such as repetitive attempts to log into your site under an incorrect name and password. That information is kept by the vendor and is usually part of a contract negotiation process. With respect to authentication, or who sets up the accounts and what control you have over accounts and how they're provisioned, most vendors offer self-registration into your applications, "and that can have holes," Lessard said.

"Most authentication in a cloud environment is done through user name and password only, so if I had a nifty two-factor authentication set up or biometrics, it's no longer offered," he said.

Most service provider also have restrictions against penetration testing of the cloud by their customers.

"To be honest, I can't blame the vendor because by doing penetration testing against their environment for your applications, it could impact someone else's applications," he said. "Remember, it's a cloud, and you don't have a lot of control over where my stuff is running or where it sits."

Hackers can also exploit security holds associated with hardware and software cloning in virtual server environments. Most operating systems have unique or personalized components when they're installed on hardware, and the OSes rely on the hardware to generate random numbers for public and private encryption key pairs and user IDs, even when they're being cloned onto new systems.

When operating systems are cloned in virtual environments, where new servers and software are stamped out to meet user demand, service providers may use pseudo-random number generators, which will pass back values that look random and for the most part are spread out over a range, but they aren't random and can be predictable, Lessard said.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.