Organizations that fail to account for endpoint security in their shift to cloud computing will increase their data leak risks. When web browsers and malware infected computers accessing cloud computing services leak confidential information with little to no indication of data loss, the economic benefits of cloud computing and the security benefits of using common applications (Kerckchoffs’ Principle) unwind.

Cloud Computing Economics Can Save Organizations Real Money (Quick Background)

Historically, an enterprise acquires and deploys robust hardware to host private and publicly facing server applications. This includes component and system redundancy to attain those additional nines for availability. It also includes the infrastructure software and IT personnel to manage these beasts, which consume a considerable amount of costly electricity and Internet/network bandwidth.

Imagine if an enterprise partnered with another to share all of the above. This might reduce their costs by half. Add another partner, reduce them more. That’s cloud computing. Its analogous to the progression in the 1990’s from private line to frame relay and ATM to MPLS, Metro Ethernet, DSL, cable and other local Internet access media. Add in web services and other technologies, an enterprise would realize workflow, analytic, and transaction economic gains.

Shared Cloud Computing Software Promises Better Application Security

We can assume that cloud based software will be more secure than custom applications or even self-hosted shrink-wrapped applications because more users means more risk means more stress and penetration testing and more aggressive patching of discovered vulnerabilities. This reminds me of Kerckchoffs’ Principle, which characterizes the value of peer review of cryptographic algorithms. This does NOT mean that new algorithms or new applications will not have problems early on. It means that over time they will either converge toward having no vulnerabilities or will be discontinued in favor of something better.

Cloud Computing Poses Horrifying Enterprise Data Leakage Scenarios

A cloud computing service provider tends to employ robust physical security at its data center as well as various network-based cyber security services to limit access. All this exists to prevent unauthorized access and disclosure of what can be extremely confidential information. Now enter the end-user with valid, perhaps robust authentication, whose privileges may be tightly regulated via fine-grained authorization policies and audit records.

Here’s the rub! A typical cloud computing end-user accessing a cloud computing service:

• Uses any web browser (i.e., unpatched and actively exploited vulnerabilities)
• With who knows what plug-ins and extensions (i.e., unpatched and actively exploited vulnerabilities)
• With one or more other browser tabs/windows opened simultaneously running dynamic applet code (i.e., man-in-the-browser attack)
• All of this running on any computer in who knows what state of a malware compromise (i.e., signature-based malware detection yields less than 50-50 shot at identifying today’s malware)
• Traversing either a very safe or an extremely dangerous local network for Internet access (i.e., man-in-the-middle attack)
• From any location in the world (i.e., identity theft)

Whatever a cloud computing application authorizes an end-user to access can also be accessed via any of these data leak risks!

How Reliable is Endpoint Data Leak Detection?

Most IT personnel tend to be network-centric in their mitigations of security risks. So, malware has evolved accordingly by encrypting its communications to the mother ship, obfuscating/hiding its communications within seemingly legitimate traffic, using ever changing Botnets to mediate communications, and in the case of laptops, limiting communications to when off-enterprise. Ironically, many IT personnel don’t trust personal firewall logs for malware communication detection because malware could compromise the logs.

And, if cloud computing only audits data access by user ID and IP addresses, how does one really know what data has traversed and/or resides on what computer of an unknown state? So really, how reliable can data leak detection be?

Endpoint Security Considerations Minimizing Cloud Computing Data Leaks

Examine your employee workforce from the standpoint of their roles. To do his/her job, does an employee require a stateless computing environment where no data is stored locally? Or, does an employee require a general purpose computing environment where confidential data storage may or may not be necessary?

For the stateless computing environment roles, consider network computers, Live CDs, and other stateless technologies. While this greatly minimizes, it doesn’t absolutely eliminate data leakage, it certainly simplifies information accountability: where is it?

For roles requiring a general purpose, make computer protection from zero day malware your top priority. We recommend AppGuard Enterprise and EdgeGuard, which are centrally managed security software products. Next implement endpoint security policy enforcement to harden the computers and minimize potential for insider mistakes. For policy enforcement, which also includes assessing and correcting issues with other 3rd party security software (e.g., antivirus, disk encryption, etc.), we recommend EdgeGuard, which offers both protection and policy enforcement. EdgeGuard also takes most of the pain out of allowing employees to operate computers with local admin rights.

Posted: Wednesday, October 21st, 2009 - Endpoint Security
RSS 2.0 - Comment - Trackback