The intersection of mobile, social and the cloud is driving innovation – it is also driving massive security challenges, Nils Puhlmann, chief security officer, Zynga, maker of online games including Farmville and Mafia Wars (Puhlmann is also a co-founder of the Cloud Security Alliance).
Puhlman should know. His company delivers 8 of the top 10 Facebook games, with 50-plus million daily active users and 215-plus million active monthly users. That makes its games some of the largest cloud services around today – and they include major doses of social and mobile capabilities as well. “It’s safe to say Zynga wouldn’t exist without the cloud,” he said.
Puhlman detailed the major security for challenges for social and cloud services – it’s interesting to put them side by side:
Top security risks on social networks:
- Unproven identity of profiles and information, especially related to monetary transactions
- Malware targeting social network users and sites
- Inadvertent disclosure of private or sensitive information
- Social engineering made easy
- Complete loss of privacy
- Frameworks for application development and deliver can lead to malware distribution
- Identity theft
Key cloud security problems:
- Lack of provider transparency, impacting governance, risk management, compliance
- Leakage, loss or storage of data in unfriendly environment
- Insecure clouds
- Malicious use of cloud services
- Account service hijacking
- Malicious insiders
- Cloud specific attacks
What do these two lists have in common? Not surprisingly, baseline concerns about how users access and authenticate themselves onto social networks and emerging cloud services.
But there are also differences.
For social networks, the security challenges tend toward the areas of social engineering, or ways in which individuals behavior is part of the overall security problem. In the cloud, security challenges today center around the relatively immature security processes and standards governing these new all-encompassing computing environments.
Security vendors are starting to address the cloud, but simply selling existing security products to cloud providers or virtualizing existing security solutions isn’t enough. “The problems in the cloud are different,” said Puhlman, giving the simple example of just how challenging it is to manage IT tables or firewalls across at the scale that large cloud services require, saying that such challenges require a different way of thinking about cloud security.