The ‘Poodle’ Continues To Bite

A new study by Greyhound Research shows that Poodle attack, which claimed its first victim in October 2014, has managed to cross the cloud barrier, and has penetrated cloud security SSL VPNs.

The latest to fall victim to Poodle is the Microsoft cloud.

Sanchit Vir Gogia, CEO, Greyhound Research, in his research report remarked, “I was discussing enterprise security norms around cloud-based productivity suite offerings with an enterprise customer in APJ. Like many IT decision makers who are taking a leap to the cloud, the customer is also currently evaluating cloud-based productivity suite options of both; Microsoft Office 365 and Google Apps. I ran a quick Poodle attack vulnerability check and the results were worrisome.”

Based on the study, Greyhound Research found that Microsoft Office 365 continues to rate weak on SSL3.0 security vulnerability. It must be recalled that in October 2014, Microsoft issued an advice on a Secure Sockets Layer (SSL) 3.0 security flaw that was discovered in their Azure and Office 365 exchange servers. Microsoft quickly replaced the ‘aged SSL 3.0′ protocol with Transport Layer Security (TLS) protocol, and claimed that it was devoid of the Poodle flaw, as also validated by US-CERT.

outlook-ofice-365

“However, we ran the Qualys test for few mail servers, only to find that the vulnerability still affects the Office 365. The test results clearly demonstrate that the Office365 server is vulnerable to the Poodle attack,” Gogia said.

mailgoogle

He added that IT decision makers should evaluate the security offerings for such vulnerabilities to ensure safety for its data and brand.

The research firm has compiled a list of critical questions that every IT decision maker must address when implementing a cloud security strategy.

·        Are my peers in other organizations adopting, planning or exploring cloud delivered services?
·        Is my on-premise infrastructure more secure than cloud?
·        How different is cloud security to the previous on-premise and hosted scenarios?
·        Is the private cloud more secure than public cloud?
·        How should I assess my cloud provider?
·        How can I better manage data privacy for cloud delivered workloads?
·        What industry certifications should I look out for?
·        What are the key compliance requirements I need to adhere when using cloud for my org?
·        Are there any industry bodies certifying cloud providers?
·        Do I need to re-skill my team to better manage cloud providers and security?
·        My peers tell me cloud is both a legal and contractual nightmare. How true is this?

To read the Full Article, click here: CIOL

Leave a Reply