Securing the cloud takes understanding and avoiding the pitfalls

As Canadian CIOs looking increasingly at various flavours of the cloud for some of their organization’s solutions they also have to consider the security impacts — in particular if they can use their current strategy or need a separate one for the cloud.

An article this week on CSO Online citing two recent vendor surveys that brings interesting light to the question and points to information CISOs need to keep in mind.

For example, an analysis of customer data from cloud security provider Alert Logic shows that in all types of cloud environments by far the most common type of incident was a Web application attack (75 per cent), followed by brute force attack (16 per cent), reconnaissance (5 per cent), and server-side ransomware (2 per cent).

Of those Web app attacks, the most common vectors were SQL (47.74 per cent), Joomla (26.11 per cent), Apache Struts (10.11 per cent), and Magento (6.98 per cent).

Of the sites that faced brute force attacks WordPress was the most common target at 41 per cent, followed by MS SQL at 19 per cent.

Note that WordPress, Joomla and Magneto are public cloud offerings.

So one question raised by this data is what’s your organization’s strategy for protecting against these attacks?

The article quotes Alert Logic advising CISOs to focus on three main areas for their cloud security strategy:

— Security tools for cloud environments must be native to the cloud;

— Define your architecture around the security and management benefits offered by the cloud, not the same architecture used in your traditional data centers;

–Identify points where cloud deployments are interconnected to traditional data centers running legacy code, because these are weak points.

The other survey cited was done for network monitoring solutions provider Gigamon. Half of the respondants said the cloud can “hide” information that enables them to identify threats. Almost half agreed that with the cloud they don’t see information on what is being encrypted, on insecure applications or traffic, while about one-third said they don’t get information on SSL/TLS certificate validity.

There are ways to solve the visibility problem, a Gigamon official is quoted as saying, starting by identifying how you want to organize and implement your security posture. These include any or all of intrustion detection systems (IDS), security information and event management (SIEM), forensics, data loss prevention (DLP), advanced threat detection (ATD).

There’s also this advice from the Gigamon exec: Not everything about a company’s existing security strategy has to change for the cloud. Keep using deep content inspection for forensics and threat detection, for example.

Cloud security is a tough challenge for CISOs. It takes a lot to craft a strategy that protects the organization yet still allows the advantages of flexibility that cloud allows. But as many organizations can show, there are ways.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now