Welcome!

Linux Containers Authors: Elizabeth White, Carmen Gonzalez, Liz McMillan, Pat Romanski, Jyoti Bansal

Related Topics: @CloudExpo, Java IoT, Microservices Expo, Linux Containers, Agile Computing, Cloud Security

@CloudExpo: Article

Cloud Security Myths: Busted

In many cases, the average enterprise or SME can't keep up with all of the security controls necessary to protect data in-house

In a Feb 2014 survey, 94 percent of organizations surveyed reported running applications or experimenting with infrastructure-as-a-service.[1] According to research firm Nasumi, there is over one exabyte currently stored in the cloud. An exabyte is over a billion GB.[2] Considering the amount of data in the cloud and the growing rate of adoption for sensitive use cases, it is natural that securing our data in the cloud is a concern. But, cloud security, though rightfully a central concern, should not be a hindrance to aggressively moving workloads and applications to the cloud.

In fact, there are some misconceptions about cloud security that need to be laid to rest.

Myth #1: A cloud provider's customers can attack each other
The multi-tenant environment of cloud computing has given rise to a misconception that the provider's many customers can access each other's data and accounts with little effort. This is tantamount to saying that your neighbors can break into your home easier than a thief from across town.

The truth is that virtual walls segregate you from other customers. Your hypervisor is the primary separator and is extremely difficult to hack. If you add other safeguards like VLAN isolation and proper data encryption and key management, your data is completely safe from other cloud customers.

The Alert Logic State of Cloud Security Report concludes "It's not that the cloud is inherently secure or insecure. It's really about the quality of management applied to any IT environment."

Myth #2: Data in the cloud in more susceptible to risk than data in the datacenter
In survey after survey, we find that the reason that cloud computing isn't growing even faster than its staggering CAGR is companies' security fears. But, like many fears, this one mixes legitimate concerns with ignorance. Depending on the details, data in the cloud may actually be safer than data in the datacenter.

In fact, a 2014 study found that once businesses learn about and experience cloud computing, concerns about security vanish. Close to one-third of executives and professionals who have not yet implemented cloud say security is their top concern, a number that diminishes to 13 percent of seasoned, heavy users of cloud services (and is only the fifth-ranked concern on their list).[3]

Arthur W. Coviello, Jr., Executive Chairman for RSA, puts it simply, "security concerns are really independent of the cloud. They're just an extension of what is being dealt with in the physical infrastructure."[4]

In many cases, the average enterprise or SME can't keep up with all of the security controls necessary to protect data in-house. For a cloud provider, conversely, it is a core business function. They typically invest in the strongest forms of network security and detection and attain compliance certifications that reduce the risk for the data they're tasked to protect.

If your core business isn't preparing tax returns, you hire someone who can do it for you: someone with the right background, experience, and tools. Someone who does a better job than you could do yourself. The same applies when it comes to protecting your data: using a provider who specializes in doing so will create better results than doing it yourself.

Myth #3: Using a trusted cloud provider guarantees protection of data
The internet is filled with comparisons of the trustworthiness of cloud providers. Those researching a cloud solution are often tasked with ensuring the cloud provider conducts audits, provides certifications, complies with industry regulations, properly screens their employees, etc. While all of these elements have their place in assessing the trustworthiness of a cloud provider, they don't completely protect your data because it is not just the cloud provider's responsibility to protect your data.

The truth is this: whether you build your own private cloud, store your data in a public cloud, or keep your sensitive business information under your mattress, the duty to protect your data is yours alone.

Amazon Web Services (AWS) accounted for 37% of the $9 billion infrastructure as a service (IaaS) market in 2013, according to analysts from equity research firm Evercore. The IaaS market is growing by 45%, but Amazon Web Services has a growth rate of 60%.[5] AWS is currently the biggest public cloud provider. And yet, in the AWS Security Center, they clearly state "AWS has secured the underlying infrastructure and you must secure anything you put on the infrastructure."

Because you control the security of your accounts and data, you can ensure that you still own your data - even though you are housing it in public infrastructure.

The way to ensure your data is safe in the cloud is by encryption. Encryption, and the management of encryption keys, is not just about safety, it is also about ownership. If you encrypt properly, you will own your data even though you are renting infrastructure form a cloud provider.

To simply and effectively achieve encryption key management, the best practice is coupling the innovative techniques of split key encryption and homomorphic key management. They will be the assurance that no one (not even your cloud provider) can access data you store in the cloud and that everything you store in the cloud is completely safe, segregated, and protected in a way that is scalable, automated, and cost-effective.

Resources

  1. http://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2014-state-cloud-survey
  2. https://www.nasuni.com/wp-content/uploads/2013/02/nasuni_infographic_the_state_of_cloud_storage_in_2013-4.jpg
  3. http://www.forbes.com/sites/joemckendrick/2014/04/03/cloud-security-fears-diminish-with-experience-survey-shows/
  4. http://www.vmware.com/files/pdf/VMware-Cloud-Security-Myths-Strategies-Uncovered-White-Paper.pdf
  5. http://www.businessinsider.com/amazon-web-services-market-share-2014-6

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
20th Cloud Expo, taking place June 6-8, 2017, at the Javits Center in New York City, NY, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy.
WebRTC is the future of browser-to-browser communications, and continues to make inroads into the traditional, difficult, plug-in web communications world. The 6th WebRTC Summit continues our tradition of delivering the latest and greatest presentations within the world of WebRTC. Topics include voice calling, video chat, P2P file sharing, and use cases that have already leveraged the power and convenience of WebRTC.
Discover top technologies and tools all under one roof at April 24–28, 2017, at the Westin San Diego in San Diego, CA. Explore the Mobile Dev + Test and IoT Dev + Test Expo and enjoy all of these unique opportunities: The latest solutions, technologies, and tools in mobile or IoT software development and testing. Meet one-on-one with representatives from some of today's most innovative organizations
SYS-CON Events announced today that Super Micro Computer, Inc., a global leader in Embedded and IoT solutions, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 7-9, 2017, at the Javits Center in New York City, NY. Supermicro (NASDAQ: SMCI), the leading innovator in high-performance, high-efficiency server technology, is a premier provider of advanced server Building Block Solutions® for Data Center, Cloud Computing, Enterprise IT, Hadoop/Big Data, HPC and E...
Internet of @ThingsExpo, taking place June 6-8, 2017 at the Javits Center in New York City, New York, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. @ThingsExpo New York Call for Papers is now open.
WebRTC sits at the intersection between VoIP and the Web. As such, it poses some interesting challenges for those developing services on top of it, but also for those who need to test and monitor these services. In his session at WebRTC Summit, Tsahi Levent-Levi, co-founder of testRTC, reviewed the various challenges posed by WebRTC when it comes to testing and monitoring and on ways to overcome them.
DevOps is being widely accepted (if not fully adopted) as essential in enterprise IT. But as Enterprise DevOps gains maturity, expands scope, and increases velocity, the need for data-driven decisions across teams becomes more acute. DevOps teams in any modern business must wrangle the ‘digital exhaust’ from the delivery toolchain, "pervasive" and "cognitive" computing, APIs and services, mobile devices and applications, the Internet of Things, and now even blockchain. In this power panel at @...
WebRTC services have already permeated corporate communications in the form of videoconferencing solutions. However, WebRTC has the potential of going beyond and catalyzing a new class of services providing more than calls with capabilities such as mass-scale real-time media broadcasting, enriched and augmented video, person-to-machine and machine-to-machine communications. In his session at @ThingsExpo, Luis Lopez, CEO of Kurento, introduced the technologies required for implementing these idea...
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists peeled away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud enviro...
"A lot of times people will come to us and have a very diverse set of requirements or very customized need and we'll help them to implement it in a fashion that you can't just buy off of the shelf," explained Nick Rose, CTO of Enzu, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
The WebRTC Summit New York, to be held June 6-8, 2017, at the Javits Center in New York City, NY, announces that its Call for Papers is now open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 20th International Cloud Expo and @ThingsExpo. WebRTC is the future of browser-to-browser communications, and continues to make inroads into the traditional, difficult, plug-in web co...
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
For basic one-to-one voice or video calling solutions, WebRTC has proven to be a very powerful technology. Although WebRTC’s core functionality is to provide secure, real-time p2p media streaming, leveraging native platform features and server-side components brings up new communication capabilities for web and native mobile applications, allowing for advanced multi-user use cases such as video broadcasting, conferencing, and media recording.
Web Real-Time Communication APIs have quickly revolutionized what browsers are capable of. In addition to video and audio streams, we can now bi-directionally send arbitrary data over WebRTC's PeerConnection Data Channels. With the advent of Progressive Web Apps and new hardware APIs such as WebBluetooh and WebUSB, we can finally enable users to stitch together the Internet of Things directly from their browsers while communicating privately and securely in a decentralized way.
WebRTC is about the data channel as much as about video and audio conferencing. However, basically all commercial WebRTC applications have been built with a focus on audio and video. The handling of “data” has been limited to text chat and file download – all other data sharing seems to end with screensharing. What is holding back a more intensive use of peer-to-peer data? In her session at @ThingsExpo, Dr Silvia Pfeiffer, WebRTC Applications Team Lead at National ICT Australia, looked at differ...
The security needs of IoT environments require a strong, proven approach to maintain security, trust and privacy in their ecosystem. Assurance and protection of device identity, secure data encryption and authentication are the key security challenges organizations are trying to address when integrating IoT devices. This holds true for IoT applications in a wide range of industries, for example, healthcare, consumer devices, and manufacturing. In his session at @ThingsExpo, Lancen LaChance, vic...
With all the incredible momentum behind the Internet of Things (IoT) industry, it is easy to forget that not a single CEO wakes up and wonders if “my IoT is broken.” What they wonder is if they are making the right decisions to do all they can to increase revenue, decrease costs, and improve customer experience – effectively the same challenges they have always had in growing their business. The exciting thing about the IoT industry is now these decisions can be better, faster, and smarter. Now ...
Fact is, enterprises have significant legacy voice infrastructure that’s costly to replace with pure IP solutions. How can we bring this analog infrastructure into our shiny new cloud applications? There are proven methods to bind both legacy voice applications and traditional PSTN audio into cloud-based applications and services at a carrier scale. Some of the most successful implementations leverage WebRTC, WebSockets, SIP and other open source technologies. In his session at @ThingsExpo, Da...
Who are you? How do you introduce yourself? Do you use a name, or do you greet a friend by the last four digits of his social security number? Assuming you don’t, why are we content to associate our identity with 10 random digits assigned by our phone company? Identity is an issue that affects everyone, but as individuals we don’t spend a lot of time thinking about it. In his session at @ThingsExpo, Ben Klang, Founder & President of Mojo Lingo, discussed the impact of technology on identity. Sho...
A critical component of any IoT project is what to do with all the data being generated. This data needs to be captured, processed, structured, and stored in a way to facilitate different kinds of queries. Traditional data warehouse and analytical systems are mature technologies that can be used to handle certain kinds of queries, but they are not always well suited to many problems, particularly when there is a need for real-time insights.