While more and more enterprises these days are using cloud infrastructures, the majority of executives are doubtful of their ability to secure their IT systems. This article takes a look at a special report published by the Ponemon Research Institute in November 2011, entitled “Managing Firewall Risks in the Cloud.”
The study was conducted in order to determine the challenges organizations face when managing access and securing firewalls and ports in their cloud environments. It claims to be the first study to look at the risk to cloud security, due to the fact that unsecured ports and firewalls are a common occurrence in enterprises.
The Ponemon study involved 682 IT and IT security practitioners in the US that worked in organizations using hosted or cloud servers (either dedicated or virtual private server). The majority of respondents reported that their organizations rely on both public clouds and hybrid (or semi-public) clouds. Forty percent of the organizations involved had a worldwide headcount of over 5,000 people.
The main areas of the study covered:
- Perceptions on organizations’ ability to mitigate the risk to their cloud servers
- Barriers to efficiently managing security in the cloud server
- Responsibility for managing cloud security risks
- The risk of open ports in a cloud environment
- The importance of certain features to securing the cloud server
The study reveals some surprising information regarding the confidence of executives and decision makers on the security of their cloud infrastructures. According to Larry Ponemon, chairman and founder of the Ponemon Institute:
“While we were surprised by the different attitudes towards cloud security among IT practitioners and compliance officers, the findings did reveal that security in the cloud is a concern for both groups [IT practitioners and compliance officers], especially in IaaS environments. What is most troubling is the fact that while respondents feel they lack adequate technologies to secure their IaaS environments, ownership for security in the cloud is dispersed throughout the organization.”
Important findings: security doubts
One of the most significant findings was that respondents do not have a lot of confidence in their organizations’ cloud server security. According to the study, over half (52%) of respondents rated their organizations’ overall management of cloud server security as fair (27%) or poor (25%).
A surprising 21% of respondents have no comment about the status of cloud server management in their organizations, indicating a lack of knowledge regarding cloud server management. This may reflect a lack of knowledge regarding the manner in which organizations are managing access and securing firewalls and ports in cloud environments.
Another aspect of the study took a look at the capabilities of IT operations and infrastructure personnel within organizations. According to the study, a substantial 41% of respondents said that their IT personnel were not knowledgeable about the potential risk caused by open ports in cloud environments.
The inability to manage access and secure ports and firewalls leads to risks to data and applications in the cloud server. Two-thirds (67%) of respondents reported that their organizations are “very vulnerable” or “vulnerable” because ports and firewalls in their cloud environments are not being secured in an adequate manner. Only 46% of respondents said that they have IT operations and infrastructure personnel who are “very knowledgeable” or “vulnerable” about such risks.
Key Features for Firewall Security
The study also examined some of the key technology features that were on the “wish lists” for IT practitioners. The top five features, including the percentage of respondents who regarded them as “very important” or “important” are follows:
- The solution closes ports automatically, so you don’t have to manually reconfigure your firewall (78%)
- The solution is inexpensive, costing companies about 20% of the cost of managed service solutions (73%)
- The solution provides centralized control over all closed and open ports on cloud servers (72%)
- The solution is scalable to all cloud servers irrespective of location (69%)
- The solution keeps all administrative ports closed on your servers without losing access and control (69%)
The research findings reflected that the overwhelming majority of IT practitioners agree that cloud server security is vulnerable. Open ports unnecessarily expose the company to increased hacker attacks and other security exploits.
The Ponemon Institute makes the following recommendations for enterprises with the IT infrastructures in the cloud:
- Create awareness among the organization’s leadership of the importance of cloud server security to safeguarding critical data and applications.
- Investigate solutions that are efficient as well as cost effective.
- Create accountability for cloud server security
- Make sure those who are accountable are aware of the risks.
- Ensure that cloud service providers have appropriate controls in place.
- Require cloud service providers to notify those accountable for cloud server security if the organizations’ applications or data are compromised by a security exploit or data breach involving an open port on a cloud server.
This article takes a look at the recent study published by the Ponemon Institute in November 2011: “Managing Firewall Risks in the Cloud.” The study examined various challenges organizations face when managing access and securing firewalls and ports in their cloud environments. The article takes a look at the key findings regarding cloud server security management in enterprises, as well as some major technological features that most IT practitioners want or need to secure their organizations’ cloud infrastructures. Finally, the article reveals some of the security recommendations made by the Ponemon Institute.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Enterprise and information risk management (Domain 2)
- Provider employee considerations (Domain 7)
- Provider selection and technical support (Domain 8)
- Recommended provider tools and capabilities (Domain 9)