Mistakes security vendors make in the cloud

Mistakes security vendors make in the cloud

A cautionary tale of how one security vendor went astray in the computing cloud, and what the channel can learn from it. When security experts sound the alarm about embracing cloud computing with little understanding of the risks, it’s usually a case where the expert — working for a vendor — is making a pitch for their employer’s products. That’s all well and good, but here’s the problem — some of them have trouble keeping their own side of the cloud clean. Nils Puhlmann, co-founder of the Cloud Security Alliance, revealed one example where a sizable security vendor made multiple mistakes in the cloud.
Here is a list of what NOT to do when securing the cloud.

slide 1

MISTAKE 1: Updating the SaaS without telling customers

Customers using a particular version of the SaaS product were caught unaware when the vendor decided to roll out a new version through the cloud. It was done in a way where, at the moment of the upgrade, any new endpoint that was added to be managed automatically got the new version. Customers were not asked or notified, and were forced into a mixed-version environment as a result.

Click here to find out how an online storage provider turned off of all their passwords accidentally.

slide 2

MISTAKE 2: Not offering a rollback to the last version

The problem with the first mistake is that customers are now faced with compatibility issues in their environment that can cause a freeze-up of essential IT functions, including those related to security. The natural course for the IT security practitioner is to uninstall the new but incompatible version, dust off the CD with the last version of the product, and re-install the version that has proven itself stable in that environment. But in the cloud it’s not always so simple, especially in this case, where the vendor offered no rollback option.

slide 3

MISTAKE 3: Not offering a choice to select timing of an upgrade

Dealing with new versions of a software that prove incompatible is nothing new. It happens every month when Microsoft releases its security updates. But in most cases, IT has control over when an update is pushed out. Most channel partners run the updates through tests before deployment. But in this case, there was no control over the timing of upgrades in their environments, Puhlmann said.

For more on Microsoft and its security patches click here.

slide 4

MISTAKE 4: New versions ignore prior configurations

The third mistake was particularly problematic because the new version of the SaaS product proved buggy. For example, it disregarded whitelist and firewall settings programmed into the previous version, causing computers to suddenly bog down with pop-up warnings for a variety of commonly-used applications, including those built and maintained in-house.

slide 5 

MISTAKE 5: Not offering a safety valve

Had the vendor offered some sort of safety mechanism in its cloud configuration, customers could have at least limited the damage upon realizing a bug was mucking up the works, Puhlmann said. But as far as he could tell, there was no such mechanism.

If you want to know how much security professionals are paid click here.

slide 6

What the channel can learn from this

Puhlmann does credit the vendor for its response to the mistakes he warned them about. They are now working to improve the process. For channel partners delving into the cloud who may have concerns about these things happening to them, his advice is simple: Ask a lot of questions before signing on the dotted line.

slide 1

More mistakes to avoid

Puhlmann added: “You have to ensure things you did in the past, before the cloud, can still be done,” he said. “You have to know for sure that services managed in the cloud have the highest integrity, and that you will have choices over whether to receive an update and when the update is made.”

Hot selling devices spell great insecurity opportunities
Risk management in cloud computing
It’s not funny when security becomes a joke

slide 7

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Jeff Jedras
Jeff Jedras
A veteran technology and business journalist, Jeff Jedras began his career in technology journalism in the late 1990s, covering the booming (and later busting) Ottawa technology sector for Silicon Valley North and the Ottawa Business Journal, as well as everything from municipal politics to real estate. He later covered the technology scene in Vancouver before joining IT World Canada in Toronto in 2005, covering enterprise IT for ComputerWorld Canada. He would go on to cover the channel as an assistant editor with CDN. His writing has appeared in the Vancouver Sun, the Ottawa Citizen and a wide range of industry trade publications.

CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.

More Slideshows