SPECIAL: CLOUDCOMPUTING Education and standards critical to minimize cloud risk The Cloud Computing Security Forum <strong>2011</strong> organized by Kornerstone Institute in <strong>Hong</strong> Kong featured experts speaking on the fears and doubts around cloud computing By Ross Milburn The opening speaker at the Cloud Computing Security Forum <strong>2011</strong> focused on the growing impact <strong>of</strong> cloud computing on the whole IT landscape. “Everything on the Web is reinventing itself with a service orientation,” said Dr Meng-Chow Kang, director & CISO, APJC, Cisco Systems, and Advisor, (ISC) 2 Asia Advisory Board. “Computing as a utility means that you can turn it on and <strong>of</strong>f like a water tap, and subscribe or unsubscribe as you like. Users can also subscribe to several clouds, which may be public, private and hybrid form—even a community cloud used by several organizations with related needs.” Since some providers outsource, you may not even know who the real provider is But cloud computing demands a different security policy to traditional IT systems and s<strong>of</strong>tware. “A major advantage <strong>of</strong> cloud technology is information segregation,” said Kang. “Moving your non-sensitive public data to the external cloud can reduce the exposure <strong>of</strong> your internal, sensitive data—this simplifies compliance analysis and makes your sensitive data more secure. In the private cloud, you can have private information about your core business.” Kang quoted from the US-based NIST (National Institute for Standards & Technology) definition <strong>of</strong> cloud computing: “Benefits include broad <strong>net</strong>work access over the <strong>net</strong>work through thin or thick client platforms, including mobile phones, laptops, and PDAs; rapid elasticity <strong>of</strong> provisioning to quickly scale out, and scale in; Measured Service, in which resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer <strong>of</strong> the utilized service; and on-demand self- service for provisioning <strong>of</strong> computing capabilities.” Kang also summarized the series <strong>of</strong> malware attacks made against highpr<strong>of</strong>ile organizations including Gmail, Twitter, Google, Amazon, and Sony. Security standards are needed for cloud computing, but rapid technology change makes that a big challenge. Concerns <strong>of</strong> cloud users include trust based on transparency and assurance; policy, which might preclude exposure <strong>of</strong> data to foreign governments, and other compliance issues; and data confidentiality, integrity and availability. “You may not know where the service provider is based and since some providers outsource, you may not even know who the real provider is,” said Kang. “The standards community is trying to provide solutions and pr<strong>of</strong>essional certification is also important.” Kang advocated the use <strong>of</strong> security standards, especially ISO/IEC JTC1/SC27 Security Techniques and ITU Study Group 17. Web security The second speaker emphasized a fundamental truth about web vulnerability: “All the security problems on the web are focused on attacking and exploiting s<strong>of</strong>tware applications,” said Anthony Lim, director, AP, Security Business, Rational S<strong>of</strong>tware, IBM Singapore Lim supported his claim with a list <strong>of</strong> the top ten web security issues in 2010, from OWASP (Open Web Application Security Project), which were all related to manipulation or failure <strong>of</strong> applications. The top three, for example, were: SQL —Dr Meng-Chow Kang, (ISC) 2 continued on page 26 4 24 Computerworld <strong>Hong</strong> Kong July/August <strong>2011</strong> www.cw.com.hk
www.cw.com.hk July/August <strong>2011</strong> Computerworld <strong>Hong</strong> Kong 25