Cloud Computing Economics - There Is No Free Service

Cloudonomics Journal

Subscribe to Cloudonomics Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Cloudonomics Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

I traveled to Toronto, ON for the third Security Education Conference Toronto (SECTor). There were many great presentations on the first day, but the common theme among them all was something we, as well as many other security professionals, have been harping about for years: Input Validation. Whether you are a network firewall validating TCP headers, an application firewall validating Layer 7 protocols, or a reverse proxy validating web services or POST variables, the hot topic in information security is input validation. Chris Hoff gave a great keynote speech on the perils of cloud computing, one example of which was an attacker doing a Man-in-the-Middle attack on vMotion, which has no encryption for performance reasons. As you can imagine, the virtual machine that ended up on the remote side was not much like the original. How's that for performance!

The less geeky among us might say that the weakest link in information security is the user. Education is a big part of keeping your users up to date on the things they should be doing to secure themselves and their corporate assets. What if you could apply the technical solution of input validation to the user problem? After all, we are always telling users what they should click on and how to attempt to decipher those cryptic browser SSL errors. Is this not the same thing as teaching an application firewall to do the identical task? The cynical might say it is easier to teach a computer, but just like the theory that children are small people that don't need baby talk, perhaps it is time to treat our users like peers and make an effort to bring them up to speed on the things we consider so critical to maintaining a secure infrastructure. It might even make your job easier in the long run.

Read the original blog entry...

More Stories By Hurricane Labs

Christina O’Neill has been working in the information security field for 3 years. She is a board member for the Northern Ohio InfraGard Members Alliance and a committee member for the Information Security Summit, a conference held once a year for information security and physical security professionals.