Cloud computing adds security challenges, but also provides opportunities to improve security posture, according to Steve Lipner, senior director of security engineering strategy at Microsoft.
In addition to traditional threats such as cross-site scripting, code injection and denial of service, cloud computing expands some of those threats and introduces others, he said.
“Data privacy issues such as data location and segregation, and privileged access control, become greater in the cloud, for example,” he said.
Threats introduced by cloud computing infrastructures include new types of privilege escalation vulnerabilities from virtual machine (VM) to host or VM to VM.
“These are the kinds of new issues that organisations looking at cloud services need to ensure have been taken care of by service providers”, said Microsoft's Lipner. But the good news, he said, is that the cloud computing model also provides opportunities to mitigate threats, such as slow or incomplete security patching.
“With cloud services, patching is automated to ensure all applications are up to date from a security point of view at all times” said Lipner. Instances of applications can also be run on more secure systems within the service providers’ infrastructure and there is greater resilience across the service, he said. But Lipner said the decision to move to cloud services is ultimately a business decision that must be taken based on a risk analysis.
“There is always a trade-off between cost and security”, he said.