10 Comments

Summary:

Are clouds fundamentally less secure? A story today in the Guardian lists cloud security as one of the things we’ll worry about in 2009, citing a recent survey commissioned by — big surprise — security companies. I don’t believe that clouds themselves will cause the security […]

Are clouds fundamentally less secure? A story today in the Guardian lists cloud security as one of the things we’ll worry about in 2009, citing a recent survey commissioned by — big surprise — security companies.

I don’t believe that clouds themselves will cause the security breaches and data theft they anticipate; in many ways, clouds will result in better security. Here’s why:

  • Fewer humans – Most computer breaches are the result of human error; only 20-40 percent stem from technical malfunctions. Cloud operators that want to be profitable take humans out of the loop whenever possible.
  • Better tools – Clouds can afford high-end data protection and security monitoring tools, as well as the experts to run them. I trust Amazon’s operational skills far more than my own.
  • Enforced processes – You could probably get a co-worker to change your company’s IT infrastructure. But try doing it with a cloud provider without the proper authorization: You simply won’t be able to.
  • Not your employees — Most security breaches are committed by internal employees. Cloud operators don’t work for you. When it comes to corporate espionage, employees are a much more likely target.

So where are the risks?

“The potential exists for security challenges like data breaches, data intermixing with other vendors, and exposure to security vulnerabilities that [enterprises] may not be exposed to in the infrastructure they own and manage,” John Pironti, chief information risk strategist at Compucom, told me.

With any new technology, there are bound to be exploits we haven’t thought of. But they’re more likely to be part of the management tools used to transfer and modify cloud data, as well as remote tools used to access applications in the cloud, than the clouds themselves.

There are real reasons to be careful when moving your data into a cloud. But be sure you’re worried about the right things. Otherwise you risk looking like a panicky server-hugger who wants to sleep with a copy of your data under your pillow.

You’re subscribed! If you like, you can update your settings

  1. Reuven Cohen, Founder Enomaly Inc Thursday, December 11, 2008

    Cloud security has less to do with the physical aspects of security and more to do with the “perceived” risks of using remote resources. Whether it’s in the cloud or not.

    Is Windows less secure then OS X or Linux? The Answer, like it or not is no. But Windows is perceived to be less secure and therefore it is, at least in the eyes of the those making the IT decisions Potential cloud customers/users believe that security is a problem with cloud computing. This is a fact. I experience it everyday. The problem that we in the cloud industry must face is the question of trust. A lot of enterprises trust IBM, Cisco, Oracle, ATT, but are not so sure they trust Amazon or some random startup they’ve never heard of. We need to address this first and foremost. Your points are valid but only if you’ve already made it over the initial barriers to entry which we haven’t yet done.

  2. Cloud computing is intrinsically less secure. Additionally links in the chain provide additional vectors of attack. And this particular link involves entrusting a third party with your data at a third party location. How can you verify physical security, when it’s not even your facility or one you can personally access? I find your employee argument amusing, considering you INCREASE the number of employees (by adding another company to the mix) with access to data when you migrate info to the cloud. Cloud computing is fine for things that aren’t sensitive, like personal photos, but no way in hell would I entrust confidential business data to a third party.

  3. Cloud infrastructure will be more secure under a certain scale; small businesses with a handful of IT guys probably don’t have the specialized skill to lock down the network like companies with scale like Amazon would have. So the technology and setup is better in those cases, but that doesn’t stop two big concerns:

    1) Not your employees. What’s stopping a network administrator at Cloud, Inc. , who knows the security weaknesses of the gigantic storage network better than anyone, from doing anything different than your own employee? Say they get ticked or fired. They could just as easily disable security services on their way out as your own employee.

    2) Security of data. Maybe the physical network is secure, but there isn’t anything more than EULA or privacy policy standing in the way of big cloud companies doing deals with other companies that would like access to all that data they have. Even anonymized, crawling that data changes the game of data privacy.

  4. Given that we are told that 80% of all security breaches and data loss occur within the firewall I think companies and individuals alike have every reason to be concerned about who is managing their assets and how is access to those assets controlled within le Cloud. Be it a disgruntled Amazon employee or soon to be de-duped EMC flunky your data is at risk when a 3rd party can physically access it.

    Couple that with the stickiness of cloud offerings (once you have uploaded 5TB of data to the cloud can u be arsed moving vendors?) once the data in in the cloud the user is potentially tied to the vendor (and any changes in price structures) for a very long time.

  5. Alistair, I agree with you up to a point. For all of the elements of the infrastructure that fall below the customer demarcation point, the arguments above do tend to add weight to the secure side of the scale. I think where this falls down is at the level of internet accessible interfaces that are the customer’s responsibility.

    Enterprises have deployed a great deal of process and automation to govern IT policies. Today, governing IT policy for cloud resources through these customer interfaces is disjointed from these processes and automation tools. And because these interfaces are publically accessible from the internet, the risk is amplified. For example, most enterprises have identity management systems to automate employee onboarding, offboarding and role changes. When a disgruntled employee is fired, he/she is set as inactive in the identity management system and all of his/her infrastructure and application accounts are disabled automatically, including VPN access to the systems he/she might want to compromise. Even if there is no automation tool, there is likely a process checklist HR drives to accomplish the same result.

    Most enterprises are unlikely to even have electronic tracking of what cloud resources an employee has access to, let alone processes or automation tools to ensure they are all disabled and data secured. So in the scenario of the disgruntled employee, the identity management tool revokes his access to all internal systems and applications, but don’t know he/she has admin access to a dozen important EC2 instances in the cloud. And because the EC2 instance is internet accessible, revoking his VPN access did not provide the second line of defense it does for systems that reside in a corporate data center.

    This is just one example. You can find many ways in which cloud infrastructure is not yet integrated into enterprise process and automation. All of the arguments for controlling VM sprawl with process and automation in the enterprise data center are amplified when the resources are outside the corporate membrane.

    Until IT systems and processes are able to govern cloud infrastructure and applications as a simple extension of the enterprise, cloud definitely does present a security risk.

  6. The security of any asset is less dependent on its controls (i.e. protections), threats (i.e. adversaries), and vulnerabilities (i.e. technical and design gaps) than it is an often left-out risk variable: location.

    Security is the separation of an asset from a threat.

    Cloud computing is distributed computing + distributed applications. A more granular/hip way to say this is: vCompute, vStorage, vNetwork, vApp. Cloud computing brings all assets to all threats. It’s the opposite of security.

    “Cloud Security” is an oxymoron. Please also see: http://rationalsecurity.typepad.com/blog/2008/12/alistair-croll-on-cloud-security-the-sky-is-falling-and-apparently-logicfacts-are-too.html

  7. I’m reminded of an episode a decade ago in a huge federal agency which had outsourced all of its routers and servers to a well-known service provider. It was a very similar arrangement to cloud computing. The provider worries about everything. You worry about nothing… until it’s too late.

    We happened to hire a former Cisco engineer locally. Suffice it to say, he was a bit surprised we had outsourced all of our equipment with no admin access. Moments later he had guessed the router password in less than 3 tries. And it turned out the service provider had used the same password nationwide on literally hundreds of routers protecting ultra-sensitive information.

    Senior officials spent many months trying to cover up the security disclosure. The service provider is still in place to this day. As a backup of non-sensitive, encrypted data, I’m all for Cloud Computing. Otherwise, you’d have to be nuts!

  8. Are clouds less secure? | Bitcurrent Wednesday, December 17, 2008

    [...] an interesting response from Chris Hoff over at Rational Security to my GigaOm piece about cloud computing and security. Chris makes some great points (and flagged a good study on computer fraud that refutes some of [...]

  9. 4sysops – Is cloud computing secure? Pro and contra cloud security Wednesday, December 17, 2008

    [...] Alistair Croll and Petko and D. Petkov claim that cloud computing has equal or even better security than on-premise computing. Here are their arguments and some of my own: [...]

  10. IT’s About Uptime – The StackSafe Blog » Blog Archive » Links List 12.19.08 Friday, December 19, 2008

    [...] Tarry Singh highlights a post from Alistair Croll on GigaOm that takes a real-world look at the security risks of the cloud. He points out that most [...]

Comments have been disabled for this post