Monday, 20 December 2010 17:20

The dark side of Cloud Computing, and the need for eternal vigilance

They're quite smart on the Dark Side: scammers, identity thieves, and other ne'er-do-wells who're always ready to exploit online vulnerabilities whenever and wherever they see the opportunity-and Cloud Computing is their latest playing field. The solution, as always, is to be ever alert and ready for anything.

I got involved in some regular IT work so haven't penned an article for iTWire since mid-2009, but now I'm back! What's happened during my temporary absence from these august pages?

Let's see. Topics such as Web 2.0 and Enterprise 2.0 that were on everybody's lips back then don't seem to crop up all that much these days.

Virtualization was gaining steady acceptance, and now at the end of 2010 is commonplace, even passé. All the buzz now seems to be about mobility (iPhone, iPad, Android, mobility apps, location-based services), to the point that some supposed pundits are predicting the death of the desktop PC.

Then of course there's cloud computing, with different IT vendors and latter-day experts putting their own spin on just what this term means and predicting that 'cloud' will take over the computing universe.

They're all at different stages of awareness, adoption and implementation,Gartner hype cycle witness the Gartner hype cycle concept (the 2010 hype cycle press release is here, also see Wikipedia's cautionary comments about Gartner's methodology).

Not content with espousing Web 2.0, various IT pundits have been going on about Web 3.0 and  beyond. I've seen so much of such ravings over four decades in the industry that by 2007 I'd had enough, so put forward my own tongue-in-cheek prediction about the unreachable.

Alas, all the waffle and never-ending flow of acronyms continues: SOA, SaaS, PaaS, IaaS, E20 (this being one person's abbreviation that I've come across for Enterprise 2.0), and more and more '¦ Will the torrent ever end? (Of course not.)

I'm sure you know that virtualization has been around for a long time. Indeed, my first big project at IBM Australia way back in 1970 was to help market and support the newly-announced IBM System/370 mainframe family. This was IBM's first large-scale commercial introduction of virtualization (though earlier systems implementing virtualization go back to the 1960s, see here and for completeness also see here).

My thoughts turned again to cloud computing the other day when I came across a good high-level summary article by Hewlett Packard called the 7 deadly sins of cloud security

'Before you get too excited about the flexibility and cost savings offered by cloud computing, you should consider its not-so-silver lining: data security risk. Cloud service providers host multiple tenants who access a single instance of an application, which passes economies of scale down the customer. However, this type of computing architecture moves your data outside the safety of your own firewall and puts it within close proximity to other tenants' data, introducing some key risks.'

The deadly sins are: cybercrooks never sleep; programming interfaces (APIs) can be a security weak point; your cloud provider's employees might not all be trustworthy; shared cloud technologies, like virtualization, amount to shared risk; it's difficult to ensure the proper backup of your data held in the cloud; identity theft can occur in the cloud environment; and 'the vast, unknowable risk of threats that may not become crystal-clear until cloud computing goes mainstream, if ever.'

Go read the article 7 deadly sins of cloud security to find out more (and watch the accompanying video).

The terms virtualization and cloud computing are not synonymous - even if some people talk about them as if they were - however the two do go well together. And having virtualization in place can make it easier for you to move on to cloud computing. Our afore-mentioned friends at Gartner have written a useful paper on this, From Secure Virtualization to Secure Private Clouds, making some points very similar to those in the HP article as well as highlighting a number of new considerations.

Gartner analysts have also warned about your being misled by some vendors claiming to be offering you cloud-based solutions:

"Because SaaS and cloud are hot concepts in the market, many suppliers are rebranding their hosting or application management or application outsourcing capabilities as SaaS or are claiming their solutions are available 'in the cloud.' Much relabeling of more-traditional application outsourcing approaches is occurring," Ms. Mertz said. "Suppliers run the risk of confusing and antagonizing buyers if they persist in this approach. Enterprises run the risk of getting nasty shocks when the thing they thought they were buying turns out to be something altogether different. Hosting and application management are not synonymous with SaaS, nor do they necessarily comply with the definition of cloud computing."


Going deeper into cloud security, pay a visit to the Cloud Security Alliance (CSA), a non-profit organization formed in 2008/2009 to promote the use of best practices for providing security assurance within cloud computing, and provide education on the uses of cloud computing to help secure all other forms of computing.

While virtualization and cloud computing are by no means synonymous, they usually go hand-in-hand, Our afore-mentioned friends at Gartner have a paper that's worth reading, From Secure Virtualization to Secure Private Clouds.

There are now quite a few providers of one form or another of cloud computing. The whole field is rather fragmented, with moves toward interoperability and standardization only in their early stages.

Of these players, Microsoft offers both online packaged applications in the form of Office Live as well as its comprehensive cloud computing platform Windows Azure, which is their 'operating system for the cloud' whereby they offer the usual cloud computing claimed cost advantages, such as pay per use and scalability on demand. (Windows Azure was officially launched in Australia in April 2010.)

More precisely, Windows Azure is a cloud services operating system, running on servers in Microsoft data centers around the globe (you can't license Azure for your own servers). Your own or third-party developers can modify existing applications, or write new ones, to run in the Azure environment. Development can be done Microsoft's .NET programming languages (Visual Basic .NET or C#), but also in other languages such as PHP, Java or Ruby.

And it is with cloud-based user applications that the main potential for security exposures can arise, just as with any application development and deployment. In the rush to get your applications running 'in the cloud' you must not fail to consider all the security implications and design the applications appropriately.

One example of the level that you need to dive into in order to properly design cloud application security, take a look at the following Windows Azure training resources (from Microsoft's security newsletter for November 2010):

  • Data Security in Windows Azure: Part 1 (video) - Various methods and tools for securing your application data in Windows Azure including methods for securing Azure Storage accounts and data during the transition to the cloud.
  • Data Security in Windows Azure: Part 2 (video) - How to make your Azure Storage container and blob items URL-addressable in a secure fashion, including the setup of permission structure on the URLs, generating hashes to secure individual items and containers, expiration and revocation of storage hashes and keys, and auditing access to the store.
  • How to Configure SQL Azure Security (video) - Demonstrations on the creation of logins, databases and users and information about sys.sql_logins and sys.databases, which allow the display of logins and databases from the master database.
  • How to Configure the SQL Azure Firewall - How to define firewall settings to specify which clients should have access to your SQL Azure server.
  • How to Manage SQL Azure Firewall Rules (video) - About the IP Firewall Rules inherent in SQL Azure, and how to connect to an SQL Azure database using Microsoft SQL Server Management Studio 2008.

As another example, VMware users for some months now can take advantage of the VMware vShield suite of virtual appliances that address security threats while, they say, increasing efficiency and memory benefits beyond other more conventional non-integrated antimalware products with products like VMware vShield Endpoint by optimizing antivirus and other host and endpoint security for use in VMware vSphere and VMware View 4.5 environments.

The point here is not especially about Windows Azure or VMware's vSphere or whatever other vendor's cloud platform  you've decided to use. It's that -- if you want to avoid committing some of those seven deadly sins referred to earlier -- then it's absolutely essential to go into a high  level of detail about cloud security on both the application design/development side and the operational side.

This is going to chew up development and deployment resources, but this is a cost you avoid only at your own peril.


Read 17082 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Tony Austin

Worked at IBM from 1970, for a quarter century, then founded Asia/Pacific Computer Services to provide IT consulting and software development services (closed company at end of 2013). These says am still involved with IT as an observer and commentator, as well as attempting to understand cosmology, quantum mechanics and whatever else will keep my mind active and fend off deterioration of my grey matter.

Share News tips for the iTWire Journalists? Your tip will be anonymous