OpenSSL and Cloud Security Concerns
The recent revelation of the serious OpenSSL vulnerability dubbed “Heartbleed” has security implications for IT departments across the board. Even though companies have been working to quickly patch the flaw, it is still not clear how much important data may have been compromised prior to its discovery. Regardless of the actual impact however, Heartbleed is an important reminder of how critical security is, especially with regard to cloud services.
In his recent ZDNet article, writer Liam Tung raises some important points about cloud service security. Regarding security attacks, there is a report from Verizon showing that of 47,000 breach investigations in 2012, there didn’t appear to be a difference in number between cloud and internally hosted services. So based on that one small sample one could assume that cloud services are not necessarily more vulnerable.
Of course that’s history (and a single sample) but the real challenge is the future. Companies thinking of moving any of their services to the cloud need to do a careful risk/reward analysis by doing their homework and asking questions of their support service companies. In general, security implementations operate in a similar manner whether in a virtual or physical environment, but the cloud versions can often be stripped back. That can sometimes mean poorly implemented network access controls, which can unfortunately lead to inappropriate access to data.
In another example, physical on-location security devices can be made highly scalable and deliver high performance. While their cloud-based virtual counterparts on the other hand, often don’t deliver that same high performance.
So there are tradeoffs to be evaluated, but with the proper planning, analysis and project management, cloud services can be implemented safely and securely. In fact, there is evidence that the more experience IT departments and corporate management have with the cloud, the more comfortable they are with it. Security concerns with cloud services seem to be higher with those who have yet to take the plunge and move to the cloud.
The bottom line is that Heartbleed has given us all a clear reminder … security concerns are real and very important given the amount and types of data we are keeping online. In working with our clients on everything from data centers to disaster recovery, The Cavan Group never loses sight of the importance of carefully evaluated, implemented and tested security processes and procedures. That has always been our approach to every job we do.