While many companies are considering moving applications to the cloud, the security of the third-party services still leaves much to be desired, according to experts at the recent Black Hat Security Conference.
The current economic downturn has made cloud computing a hot issue, with startups and smaller firms rushing to save money using virtual machines on the Internet and larger firms pushing applications such as customer relationship management to the likes of Salesforce. Yet, companies need to be more wary of the security pitfalls in moving their infrastructure to the cloud, experts say.
"Guys at the low end are using (cloud infrastructure) to save money, but the danger is that the guys at the top end start to use it without any auditing," says Haroon Meer, technical director at security firm SensePost, who discussed his team's research into some aspects of Amazon's Elastic Compute Cloud (EC2) at the Black Hat security conference.
Their experiments showed that companies frequently do not scan the third-party machine instances available from some providers. A malicious instance could easily be created as a Trojan horse to gain access to a company's internal network, Meer said.
With those pitfalls in mind, here are five lessons from the presentations at Black Hat.
1. Cloud offers less legal protection
Companies need to realise that data in the cloud is subject to a lower legal standard in terms of search and seizure. The government, or an attorney focused on discovery, may be able to subpoena the data without a search warrant.
Cloud providers are more concerned with protecting themselves and not the client, says Alex Stamos, a principal security consultant at iSec Partners, so don't expect the legalese in service agreements to favor your company.
"All of these (cloud-services) companies have very active and very well-trained legal departments," Stamos said. "And as a result, the agreements you agree to when you sign up for these services, basically promise you absolutely nothing."
If someone breaks in because of the provider's mistake, the client agrees not to hold the firm responsible. If there is a data loss because of a data center failure, the provider are not obligated to do anything for you, Stamos says.