CCSK Guide
7Nov/11Off

Cloud Security Doubts: Firewall Risk Management

While more and more enterprises these days are using cloud infrastructures, the majority of executives are doubtful of their ability to secure their IT systems. This article takes a look at a special report published by the Ponemon Research Institute in November 2011, entitled “Managing Firewall Risks in the Cloud.”

Background

The study was conducted in order to determine the challenges organizations face when managing access and securing firewalls and ports in their cloud environments. It claims to be the first study to look at the risk to cloud security, due to the fact that unsecured ports and firewalls are a common occurrence in enterprises.

The Ponemon study involved 682 IT and IT security practitioners in the US that worked in organizations using hosted or cloud servers (either dedicated or virtual private server). The majority of respondents reported that their organizations rely on both public clouds and hybrid (or semi-public) clouds. Forty percent of the organizations involved had a worldwide headcount of over 5,000 people.

The main areas of the study covered:

  • Perceptions on organizations’ ability to mitigate the risk to their cloud servers
  • Barriers to efficiently managing security in the cloud server
  • Responsibility for managing cloud security risks
  • The risk of open ports in a cloud environment
  • The importance of certain features to securing the cloud server

The study reveals some surprising information regarding the confidence of executives and decision makers on the security of their cloud infrastructures. According to Larry Ponemon, chairman and founder of the Ponemon Institute:

“While we were surprised by the different attitudes towards cloud security among IT practitioners and compliance officers, the findings did reveal that security in the cloud is a concern for both groups [IT practitioners and compliance officers], especially in IaaS environments. What is most troubling is the fact that while respondents feel they lack adequate technologies to secure their IaaS environments, ownership for security in the cloud is dispersed throughout the organization.”

Important findings: security doubts

One of the most significant findings was that respondents do not have a lot of confidence in their organizations’ cloud server security. According to the study, over half (52%) of respondents rated their organizations’ overall management of cloud server security as fair (27%) or poor (25%).

A surprising 21% of respondents have no comment about the status of cloud server management in their organizations, indicating a lack of knowledge regarding cloud server management. This may reflect a lack of knowledge regarding the manner in which organizations are managing access and securing firewalls and ports in cloud environments.

Another aspect of the study took a look at the capabilities of IT operations and infrastructure personnel within organizations. According to the study, a substantial 41% of respondents said that their IT personnel were not knowledgeable about the potential risk caused by open ports in cloud environments.

The inability to manage access and secure ports and firewalls leads to risks to data and applications in the cloud server. Two-thirds (67%) of respondents reported that their organizations are “very vulnerable” or “vulnerable” because ports and firewalls in their cloud environments are not being secured in an adequate manner. Only 46% of respondents said that they have IT operations and infrastructure personnel who are “very knowledgeable” or “vulnerable” about such risks.

Key Features for Firewall Security

The study also examined some of the key technology features that were on the “wish lists” for IT practitioners. The top five features, including the percentage of respondents who regarded them as “very important” or “important” are follows:

  • The solution closes ports automatically, so you don’t have to manually reconfigure your firewall (78%)
  • The solution is inexpensive, costing companies about 20% of the cost of managed service solutions (73%)
  • The solution provides centralized control over all closed and open ports on cloud servers (72%)
  • The solution is scalable to all cloud servers irrespective of location (69%)
  • The solution keeps all administrative ports closed on your servers without losing access and control (69%)

Next Steps

The research findings reflected that the overwhelming majority of IT practitioners agree that cloud server security is vulnerable. Open ports unnecessarily expose the company to increased hacker attacks and other security exploits.

The Ponemon Institute makes the following recommendations for enterprises with the IT infrastructures in the cloud:

  • Create awareness among the organization’s leadership of the importance of cloud server security to safeguarding critical data and applications.
  • Investigate solutions that are efficient as well as cost effective.
  • Create accountability for cloud server security
  • Make sure those who are accountable are aware of the risks.
  • Ensure that cloud service providers have appropriate controls in place.
  • Require cloud service providers to notify those accountable for cloud server security if the organizations’ applications or data are compromised by a security exploit or data breach involving an open port on a cloud server.

Summary

This article takes a look at the recent study published by the Ponemon Institute in November 2011: “Managing Firewall Risks in the Cloud.” The study examined various challenges organizations face when managing access and securing firewalls and ports in their cloud environments. The article takes a look at the key findings regarding cloud server security management in enterprises, as well as some major technological features that most IT practitioners want or need to secure their organizations’ cloud infrastructures. Finally, the article reveals some of the security recommendations made by the Ponemon Institute.

CCSK Exam Preparation

In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:

  • Enterprise and information risk management (Domain 2)
  • Provider employee considerations (Domain 7)
  • Provider selection and technical support (Domain 8)
  • Recommended provider tools and capabilities (Domain 9)

Enjoy this article?

Consider subscribing to our rss feed!

Tagged as: , , , , , , , , Comments Off
Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

No trackbacks yet.

» «

Login

Sponsored Links

Tags

access control Amazon Amazon EC2 API audit authentication authorization best practices compliance contracts CSA data breach data breaches data security disaster recovery encryption EU google government IaaS IAM identity identity federation interoperability lock-in management Microsoft open source PaaS portability private cloud provider selection public cloud risk management risks SaaS security SOA standards threats trends vendors virtualization virtual machines vulnerabilities

Archives

Meta



Our mission: Provide reliable and accurate information to cloud security professionals seeking CCSK certification.



We expect individuals seeking the Certificate of Cloud Security Knowledge will find our information specifically targeted at their CCSK pursuit useful. Our test preparation software and forums give candidates a higher chance for success.

Thank you for visiting. Since you're new to the site:
  • Please review the user agreement.
  • Register for the site so you may use the testing services.



    • We hope you find this service useful, and good luck on the exam!