An Unexpected Security Problem in the Cloud

Source – wsj.com

As more companies unplug their data centers and rent out cloud-computing services from providers such as Amazon.com Inc. and Microsoft Corp. , some are discovering an unexpected problem: They’re accidentally leaving their corporate data exposed for all the world to see.

Configuration errors made while using cloud-storage services are common, security experts say, and often occur when users set access permissions so someone outside of the company—say, a vendor—can see data. “More data has been lost due to poor configuration than anything else on the cloud,” says Vincent Liu a partner at Bishop Fox, a computer-security consulting firm.

The nonprofit GDI Foundation has tracked close to 175,000 examples of misconfigured software and services on the cloud this year.

The phenomenon is a byproduct of the cloud’s unchecked growth. Research firm Gartner Inc.predicts that the market for cloud-computing services will grow 17% this year to $247 billion—with cloud-infrastructure services leading the way. These are the basic computer storage, networking and computing services that are particularly prone to misconfiguration problems, Mr. Liu and others say.

Cloud computing caught on in part as an end-run around stodgy corporate information-technology departments, its proponents say. Instead of waiting weeks for IT staffers to turn on a new server in the data center, software developers were able to instantly purchase computer services from companies such as Amazon, using their Amazon accounts. For just a few dollars, coders could test out new programs on Amazon’s cloud within minutes.

The problem is, many cloud users simply don’t have the expertise to keep things as secure as they should, says David Linthicum, senior vice president with Cloud Technology Partners Inc., a consulting firm that helps corporations move to the cloud. “They’re new to cloud and they don’t understand it,” he says.

Security executives such as Pete Chronis call these unsanctioned projects “shadow IT.” Over the past few years, companies have increasingly brought such projects back under corporate IT’s control, says Mr. Chronis, chief information security officer at Turner Broadcasting System Inc. “What you’re seeing in some of these security incidents today is a lack of a plan and a lack of a governance model,” he says.

IT departments need to understand when a company’s assets are online, when software needs to be patched, how critical applications connect to each other and when developers are making “high-risk changes,” Mr. Chronis says. That can be hard to do, when the software is running on the cloud instead of corporate data centers, he says.

Amazon and Microsoft are making it easier for companies to keep on top of their cloud infrastructure. In August, Amazon introduced a service called Macie that helps companies determine when their cloud data is misconfigured or being accessed without authorization. Microsoft says it has several services to help customers protect sensitive data. “We continue to invest heavily in new innovations that build on our strength in cloud security,” a company spokesman says.