2. You don't own the hardware Companies who want to audit their providers and do their own testing need to remember that they don't own the hardware. Conducting a vulnerability scan or a penetration test requires the explicit permission of the cloud-service provider, Stamos warns. Otherwise, the client is hacking the providers' systems.
While some service agreements, such as Amazon's, specify that the client can conduct testing of their software running on the provider's systems, getting explicit permission is key, he says.
"The recommendation ... is that, if you are asked to pen-test applications in the cloud, they (the legal experts) recommend that you get permission from someone at the company," he said. "Because certainly, by the letter of the law the legal ownership of those machines is very important."
3. Strong policies and user education required While cloud computing offers companies immense benefits, such as allow access to data from anywhere and removing maintenance headaches from the IT staff, the always-on service also means that phishing attacks that hit workers at home could threaten the company.
Thus, educating users about the dangers, not only to themselves but to their company, is key, said iSEC's Stamos.
"It is very difficult to teach all the non-technical users in your company about how to not be phished, but the fact of the matter is, with software-as-a-service, phishing attacks are going to be something that stops being a personal issue and starts becoming a enterprise-wide security issues," he said.
4. Don't trust machine instances When using a virtual machine from a provider, such as the third-party instances created on Amazon's Elastic Cloud Computing (EC2) infrastructure, companies should never trust the system, says SensePost's Meer.
The company's researchers scanned a number of pre-configured instances and found authentication keys in the caches, credit-card data and the potential for malicious code to be hidden within the system. Yet, they found most of their customers did not consider the security implications of using a machine image created by the third-party developer.
"Some customers have based an entire authentication server off of pre-configured images," SensePost's Meer said.
Companies should either create their own images for internal use, or protect themselves technically and legally from potentially malicious third-party developers, Meer says.
5. Rethink your assumptions In all cases, when considering security, corporate information-technology managers need to reconsider their assumptions in the cloud.
For example, when deploying an application to run on a computing instance in a virtualized data center, features that rely on random number generation will not necessarily work as expected. The problem is that virtual systems have much less entropy than physical ones, so random numbers could be guessable, iSEC's Stamos says.
"You need to consider the non-obvious," he says.
Sign up for Computerworld eNewsletters.