CeBIT 2011: Cloud standards unlikely to allay security concerns says expert

They would offer no protection against insider threats, says ESET chief

Creating standards will not eliminate security concerns around the cloud, and could result in more targeted attacks, according to Richard Marko, CEO of security provider ESET, who was speaking at panel session called "The Importance of Security".

Marko was responding to a call by Kaspersky Lab's chairwomen Natalya Kaspersky for more standardisation from cloud providers across their architectures to increase trust in cloud services.

Although Marko agreed that standardisation will help foster trust between providers and their clients, to have each layer of a cloud infrastructure controlled precisely and in a uniform way could result in the sort of insider attacks that are almost impossible to guard against, he argued.

Company insiders will know exactly what architecture standards their company has in place across its hardware and software layers and so could deliberately target them, he said.

"I agree with standardising cloud services, but it isn't the full solution in terms of security," he added.

However, Joachim Schaper, vice-president of research at AGT Germany, who was also speaking on the panel, explained that if security standards were created at a component level, requiring considerable consultation with vendors, the result would be a many layered security system.

"Even company insiders would find this very difficult to master," he explained.

Another big security issue, according to Kaspersky, is that of human access to client data.

"The people working for cloud providers could present a significant security problem," she said.

"A client could be made aware of the technical security that is built into a system but what if somebody working with their data sees an opportunity to sell it on, how would they know? This is a potential nightmare."

Kaspersky explained that to guard against this type of security threat, a client would need to develop a strong relationship of trust with its provider that may see the client provided with information around the recruitment and background of staff working with their data.

"This requires buy-in from other areas of the business such as human resources, but it is essential," she said.