As I began scouring my memory, library, and eventually the Web for a fitting quote on the topic of clouds to use as the title of this blog, I discovered something interesting.
If you start researching the famous historical quotes involving clouds – from stark Biblical references to bubblegum pop lyrics – you’ll find that sentiments are pretty much split down the middle in terms of whether they confer something promising, say a silver lining, or something imposing, like a gathering storm.
And while I never found exactly the right words that I was seeking to invoke the way that I feel about cloud computing and its inherent benefits and risks, this observation about the duality of clouds, the way people view them as both good and bad, positive and negative, promising and foreboding, actually serves just as well as any quote that I could have found.
Lately, a lot of people have been scrutinizing cloud computing as it relates to security, as the two topics are both top of mind for many CIOs and IT decision makers, and as a result it seems that thankfully this major shift in computing infrastructure won’t be unleashed without first considering potential pitfalls.
But whether you believe that cloud computing offers more benefits than it introduces risks, or vice versa, you have to recognize that both sides have valid points.
From the IT security side, those like myself who worry about the layers of risk involved in offloading so many computing processes and so much electronic data onto service providers, or even just into privately operated clouds, focus on the computing environments we have today and transfer the issues we struggle with onto this new landscape.
Many cloud advocates argue that this more distributed infrastructure will be inherently safer than today’s model, through which organizations maintain and protect most of their own electronic data, because the people responsible for building and defending the clouds will have greater incentive to secure them.
I’m not convinced that’s a valid argument. Will a service provider, or even an enterprise maintaining its own cloud, really be more concerned with protecting its customers’ data, or even its own, than those organizations traditionally have been? One can argue that technically speaking those building clouds will be more occupied with security than people were 10 years ago when developing their networks and that they have more tools to do so at their disposal.
However, I think that anyone familiar with IT security can also recognize that distributed, interconnected clouds also create as many potential risks as they may eliminate. And from a motivation standpoint, I don’t think the cloud makers will be far more attentive. As much as it seems so at times, I don’t believe that most IT vulnerabilities are derived from carelessness, versus technological and process complexity.
Dissecting the Cloud
Here are the four main reasons why I fear for IT security as it relates to cloud computing:
- It already seems that there will be an overreliance on encryption, at least from what people arguing in favor of cloud security seem to say. Encryption is a powerful tool, but if history has taught us anything in IT security and elsewhere it’s that encryption can and will be defeated, by technical innovation and human error.
- Virtualization is still a security unknown. So much of the cloud computing model depends on the use of virtualization, but researchers, including those at CoreLabs, have proven that virtualization is an unproven commodity in regards to security and that there are significant vulnerabilities in the systems people are using today.
- Outsourcing is a huge security risk. Organizations handing over their intellectual property and customer data to third parties are often paying for it. We’ve seen this happen repeatedly in the government space. Organizations don’t typically make security a major element of their SLAs and write safeguards into their outsourcing contracts. Unless they do so and invoke major penalties for breaches, a pass-the-buck approach to security will continue to dominate.
- The security perimeter becomes even fuzzier. Organizations are already struggling with the softening of the IT security perimeter related to remote access and electronic data sharing. With data constantly available in the cloud for user access, in multi-tenant environments, the opportunity for infiltration would seem to grow exponentially.
It’s my belief that the sensitive information being generated, set in transit and left at rest in cloud computing services all constitute major challenges, not just in how to enforce security and privacy policies, but also in being able to credibly prove that those controls are actually functioning.
Multi-tenancy and resource usage optimization driven by economies of scale are fundamental to the cloud-computing model, but they introduce a multitude of security issues due to the blurring of lines of demarcation for data entering and traversing the cloud.
Finally, I truly wonder, how do you ensure the compliance or security of a given organization’s data (stored by a cloud services provider) without stepping over some other organization's data and cloud computing infrastructure systems themselves in doing just that?
I am not a naysayer. The clouds are coming, and they will bring with them many significant benefits.
But we need to be realists at the same time. Those clouds will also carry plenty of storms.
-Tom Kellermann, Vice President of Security Awareness