Slide deck that accompanies an article I wrote for CSO Online

1. 5 Critical Security Issues in Cloud
Computing
Information security can make or break your cloud project
By John Kinsella, Protected Industries / published by CSOonline.com

2. Private clouds are not secure
 A cloud placed behind enterprise firewall is not inherently
secure – it needs to be implemented and managed with
security in mind
 Security is limited to the weakest link – be that users,
departments with less security sense, or unprotected
applications
 Consider that a private cloud might morph to public in the
future via “capacity clearinghouses.” Security could quickly
become a large concern, at too late a point in time

3. Security visibility and risk
awareness
 Monitoring not just resources, but the security state of a
cloud is of utmost importance
 Do not just gather metrics – make them easily accessible,
displayed in a meaningful way. Look for potential issues
every day, not only during compliancy-required monthly
reviews
 Research what metrics your cloud provider is able to provide.
Consider how they can improve your security posture

4. Safely storing sensitive information
 Sensitive data must be encrypted with a strong industry-
trusted encryption library. Do not “roll your own”
 Very difficult to guarantee absolutely no eavesdropping in a
cloud environment
 Decide to encrypt data in the cloud, or before It gets to the
cloud

5. Application security
 The shared environment and difference in security
architecture of a cloud increases the importance of
application security
 Before migrating an application to the cloud, perform an
architecture review and see where cloud benefits can be
leveraged
 Migrating an application to the cloud is a unique chance to
increase the security of the application through increased
availability, ability to scale, and use of cloud APIs

6. Authentication and authorization
 Should enterprise authentication be extended to the cloud?
Depends on usage and sophistication of security program
 Authentication system should be flexible enough to support
different authentication methods for different cloud services
 Wide variety of commercial solutions available
 Authentication and authorization system logs can provide
insight into reconnaissance or malicious activity

7.  Read the article at www.csoonline.com/article/717307
 By John Kinsella, Protected Industries
www.protectedindustries.com