This article in the Herald titled "Cloud Security Evaporates in Testing" described how security firm "Pure Hacking" discovered that they could gain "'domain administrator' access over the unnamed cloud provider's network at the company's request."
"[They were] able to identify typical web application vulnerabilities such as cross-site scripting (code injection where malicious scripts are injected into trusted web sites), as well as more critical cloud security flaws, such as a lack of access controls that enables an attacker to gain unauthorised access to other users' web application accounts."
Considering how much cloud solutions have been in the media you would think this sort of study would be done *before* doing full product launches. Perhaps that's not possible and maybe this is why we need early adopters. But I'm continually surprised by the difference between actual capabilities of a product or service and what sales people are actually told. As sales people reading this, think about this - were you told to assure your clients that your cloud solutions were 100% secure? Did you have any actual evidence to back up that this was the case?
No wonder a lot of CIOs out there are sceptical about the security of new products. Ultimately though a lot of the sales people I speak to said they were aware of potential un-known security issues of public cloud and co-location. In general they have been recommending private or on-premise alternative solutions to clients who had mission critical and secure data concerns, though pointing out the obvious problem - the cost savings will not be as drastic.
No comments:
Post a Comment