Cloud computing and mobility have been in the headlines recently, but not for showing how enterprises use them for making huge productivity gains.
Instead they’re signs for some of insecure systems thanks after attackers stole passwords from cloud storage services and revealed celebrity images from Apple’s iCloud.
For enterprises cloud computing and mobility represent a loss of control for IT, Kurt Roemer, Citrix Systems‘ chief security strategist, said in an interview in Toronto during the company’s one-day mobility conference for customers and partners.
“However, if you’re designing for mobile and cloud as your primary use cases and that loss of control, and you have the right security on top of it to give IT back the relevant control … you wind up with a better security infrastructure that can then be applied across the enterprise.”
And while cloud and mobility are a “fact of life” for organizations, they make a lot of sense as well, he added. Saves IT a lot of money, increases productivity, makes the organization more agile. But “we need to make sure we asking the right security questions.”
He praised security guidance for cloud provider offered by the Cloud Security Alliance. Apple, Samsung and Google also offer enterprises and individuals good advice on how to secure devices, he said. “It’s probably unfortunate most individuals don’t read those,” he added.
Looking at the number of data breaches reported in the last 12 months, he agreed that there could be despair about the state of IT security. But, he added, “it’s not all bad … its helping people understand where they shouldn’t be relying on just one set of technology, that they need to have a security solution that protects their use cases, that they have multiple levels of security where it makes sense.”
Serious threats come from SQL injection and cross-site scripting vulnerabilities, which he said “are preventable problems if you’re going though and sanitizing user input” like usernames and passwords and credit card numbers into form fields. From the Web application developer’s point of view they should be treated as untrusted and scrubbed to take out bad characters and key phrases. “But often times they’re not developed that way. If applications were developed perfectly we wouldn’t have most of these problems — most because attackers are always learning new attacks.”
The biggest mistake enterprises make is “not understanding how the applications or the network can be used and abused. If IT thinks more abut what people are using it for and how use cases evolve over years they will realize you have to tailor your security solution and constantly update it so that you’re hitting evolving use cases, protecting the app and also making sure you’re keeping up with the attacks as much as possible.”