- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
Network World - SAN FRANSISCO -- Cloud security loomed over the RSA Conference this week as a major concern of business, but worry about the threat of cyberwar was also strong, with officials from the White House and FBI weighing in to encourage private participation in government efforts to defend information and communications networks.
During the highest profile panel at the conference, a former technical director of the National Security Agency bluntly said he doesn't trust cloud services. Speaking for himself and not the agency, Brian Snow said cloud infrastructure can deliver services that customers can access securely, but the shared nature of the cloud leaves doubts about attack channels through other users in the cloud. "You don't know what else is cuddling up next to it," he said.
In his keynote address, Art Coviello, the president of RSA, the security arm of EMC, agreed that customers need to be assured the cloud is safe. Coviello told the 4,000 attendees gathered for his talk that cloud services will inevitably be adopted widely because of the huge financial benefits they offer. "But you won't want any part of that unless service providers can demonstrate their ability to effectively enforce policy, prove compliance and manage multi- tenancy," he said.
The big problem is trust, he said. His own company announced at the show a partnership with Intel and VMware to improve trust by enabling measurement of cloud providers' security. The effort would let customers of cloud infrastructure services weigh the security of the service and get metrics to deliver to auditors who are sent to determine whether businesses comply with government and industry security standards. "Service providers should be able to tell compliance officers and auditors just about anything they need to know -- with verifiable metrics," Coviello said.
But warnings about other cloud threats came through loud and clear. At the Cloud Security Alliance (CSA) Summit held earlier in the conference, for example, the CSA announced a report on its top concerns about cloud security, and they were major, including documented use of cloud infrastructure-as-a-platform to launch botnets.
CSA, an industry consortium of users and vendors, also highlighted vulnerabilities in the means given to cloud customers to access and manage the services they buy. These APIs are not necessarily secure and could offer attackers a chink through which they could infiltrate cloud networks and the corporate content entrusted to them. The answer: "Ensure strong authentication and access controls are implemented in concert with encrypted transmission," CSA said. CSA's report details 10 threats as well as fixes, but stands as a warning about embracing cloud services without carefully weighing the downsides.
While Coviello touted the ability to give auditors and compliance officials the data they need to assure businesses meet security regulations, the validity of such regulations was questioned by the top White House cybersecurity adviser during his keynote address. Cybersecurity coordinator Howard Schmidt told the conference that security compliance under the Federal Information Security Management Act is flawed. "You can be [Federal Information Security Management Act] compliant but still not be secure," he said. "We agree that work needs to be done on that."