Cloud Computing and Protecting Confidential Information

A couple of months ago, I talked about the implementation of DLP in cloud computing environments.  Since then, I have seen a few examples of how security-oriented firms are working with cloud computing vendors, such as Tripwire, enStratus, and others working with cloud vendors to provide internal compliance and validation.

Meanwhile, we have seen several large-scale data breaches, including numerous attacks on Sony, that involve attacks through web servers.

A significant use case for cloud computing is to provide scalable web services, so we have an interesting and significant security intersection between deployments of web servers (often with vulnerabilities) in the cloud, and the need for web application firewall (WAF), data loss prevention (DLP), and intrusion detection/prevention (IDS/IPS) to protect the web servers and the information to which they provide access.

There are some difficult problems with protecting outward-facing cloud-based web servers, though.  It might not be feasible to scale WAF, DLP, and IDS/IPS systems alongside the web servers.  It may be challenging to be able to monitor and/or intercept web traffic — especially SSL web traffic — to protect against attacks and data loss.

A solution to this problem might be to incorporate WAF, DLP, and IDS/IPS technology into the web servers themselves, so as the web servers are scaled, the protection automatically scales also.

*** This is a Security Bloggers Network syndicated blog from Info Loss authored by Guy Helmer. Read the original post at:

Secure Coding Practices