Page 138 - Cloud Essentials
P. 138

However, in the cloud computing world, providers will themselves be in

               this  outside  world.  In  addition,  it  might  be  necessary  to  have  secure
               communication between services that are both “in the cloud.” In addition,
               important  categories  of  users  might  have  access  to  the  organization’s
               resources through the public Internet.


               Network Security      As  a  consequence  of  having  multiple  providers  and
               users  connecting  over  the  Internet,  there  will  be  multiple  touch  points
               between  the  organization  and  the  outside  world,  and  it  will  become
               necessary to manage multiple distributed firewalls. Some of these firewalls

               may be operated by your cloud provider to act as a wrapper around there
               sources  that  you  have  established  with  that  provider.  A  customer  would
               have some limited form of managing this firewall function.
                  Even though firewalls are important to protect digital assets, they are not
               all  that  is  required  for  appropriate  security.  Using  Secure  Sockets  Layer
               (SSL)  security  certificates  protects  transmitted  data  between  networked

               computers by encrypting it, but it is sometimes not enough to meet certain
               standards.  PCI  DSS  certification  requires  a  combination  of  security
               mechanisms, not just one such as SSL. Other attack approaches have always
               existed and will increase in importance as the security technology matures.
               Such attack approaches include social engineering, cross-site scripting, and
               so on, and they apply to in-house as well as cloud-based IT.


               Social Engineering   Social engineering is the act of manipulating people

               to  disclose  some  kind  of  confidential  information.  Examples  include  the
               following:


                      A hacker posing as IT personnel, calling an unsuspecting end user and
                     asking for their mailbox password before a fictitious weekend mail
                     system upgrade

                      A hacker sending a seemingly authentic mail message with a link to a
                     fraudulent web site where victims might divulge personal data such as
                     banking information


               These types of risks exist with both in-house IT system hosting and cloud
               computing. Cloud customers must be satisfied that cloud provider personnel
               have  completed  security  training  and  are  not  susceptible  to  social
               engineering  attacks.  The  key  is  educating  users  about  these  dangerous

               possibilities.





                                                          138
   133   134   135   136   137   138   139   140   141   142   143