HP finds cloud security practices lacking

MAKER OF OVERPRICED CONSUMABLES HP has said that many firms are not doing enough to secure users' private data.

Publishing the results of a survey of 341 security professionals it conducted at this year's Infosec conference, HP said that 24 per cent of respondents admitted that applications security is not a priority. HP said it found that many companies simply load applications that were not designed with security in mind into the cloud, putting private data at risk.

Some of the results from HP's survey make for worrying reading if you use cloud services. It reported that 15 per cent of respondents said they were either not confident or not at all confident that their business critical information was secure. Worse still, 35 per cent said that they can't even find, fix or prevent security vulnerabilities before they have been exploited, meaning that the door only shuts once the horse has bolted.

As for knowing what was going on in their cloud, 50 per cent of respondents said that they either didn't have applications monitoring or didn't know whether monitoring was in place. Monitoring of an application's behaviour is vital to knowing whether it has been infected with malware, according to HP.

Of course HP used these figures to promote its own network security appliances, however Simon Leech, EMEA technical director for HP's Tippingpoint said that even with intrusion prevention systems (IPS) "many firms do not think about the usage of an IPS", adding that "work stops at the acquisition". Leech added that many companies that deal with personal data are required to have an IPS installed by default, but just having an IPS is not enough.

When asked whether HP's IPS could protect against attacks on the hypervisor, Leech admitted that at this point HP's systems do not detect them. Leech said, "Often people forgot about the hypervisor and that traditional network tools don't see the traffic within [the hypervisor]."

Leech did say that HP's Tippingpoint could do deep packet inspection on many kinds of network traffic including SSL traffic, though he added that it would need access to the server's key in order to do so, and that many banks and other outfits would not give access to such data.

Apart from tried and tested deep packet inspection techniques, Leech mentioned that HP's IPS also uses the reputations of particular IP addresses in order to classify threats.

While it is interesting to hear how HP is trying to foil attacks, far more worrying are the seemingly poor understanding and security practices of firms that use cloud services to store data. With the number of high profile cloud attacks growing, it is deeply concerning that firms are taking such a cavalier attitude towards data security. µ

UPDATE - 28 June 2011

Simon Leech got in touch with The INQUIRER wanting to clarify his comments regarding cloud security and in particular the hypervisor. Leech told The INQUIRER, "Security in a virtualised environment is also a concern. Both the traffic inbetween virtual machines as well as the mission critical hypervisor need to be taken into consideration in an organisation's security policy. HP TippingPoint can offer a solution for both, and are one of the only vendors in the market to do so, by taking a layered approach to the problem, secure the hypervisor inline at the data center perimeter, and the virtual machines by integrating into the hypervisor."

Regarding monitoring network traffic within the hypervisor, Leech said that traffic was monitored at the edges rather than within the confines of the hypervisor. "You don't have traffic monitoring ‘within' the hypervisor. Traffic goes to and from the hypervisor, but not really ‘within' it. That's why I discussed using HP TippingPoint IPS to protect the traffic going to and from, and HP TippingPoint SVF for the traffic going in between virtual machines."