July 13, 2010 at 4:30 pm #5328yatzParticipant
Recently posted on my blog discussing cloud security. Not complete, but my thoughts as they exist today.
Okay, for quite a while I’ve wondered what the big deal was about cloud security. The “Cloud” is a buzz word nowadays that, to me, seemed like nothing more than that. As time has progressed over the past year or so, the buzz word isn’t going away. Microsoft is pouring over Azure, VMware, Google… it seems like most large vendors see the cloud as the future. But, the big hurdle most businesses seem to be stuck on is the idea of “cloud security.”
So I think to myself, “What the heck is that anyway?” What makes cloud security any different than regular security?
On a journey that is still incomplete, I decided to investigate. In my mind, I would say the security of my data in the cloud means I don’t have control over it anymore and it scares me. Could it really be that simple? If so, I would guess the marketing big shots would have evangelized their pants off because there is big money to be had, and it would have been all over by now. But we still see hesitancy in businesses to adopt wholeheartedly.
What else is going on? Let’s take a hospital for example, privately owned. The IT department is sold on the increased processing power, cost savings, etc. and decides to put all their customer data in the cloud. Suddenly questions that didn’t matter before begin to emerge. Who exactly has access to these records? They say it’s encrypted, but what encryption? Whose encryption? How do we know someone hasn’t figured out how to decrypt my data? Traffic is now tunneled over the public network, what kind of measures are in place to prevent sniffing these transmissions?
The questions keep coming. What about government regulations? How do I KNOW that someone working for the cloud company doesn’t have a backdoor admin credential? Can I be liable if we lose records or the data is compromised through a vendor threat?
Other things come into consideration that may not have been worried about before. When something is deleted, how do I know it is ACTUALLY deleted? How many backups are out there that I don’t know about?
After asking these questions, whether you are comfortable or not with the vendor’s answers, does the cost savings really matter? If we keep the data in house, we’ll be paying overhead for maintenance and hardware for a data center of our own, but who cares about that if we have control over our own security? It’s about risk management, a concept CIOs and CFOs know very well but may be missing from eager IT staffers with an eye for the next greatest thing.
I’m not against the cloud, though I gotta say I am getting sick of it because I feel barraged by it. But honestly, with virtualization being an enormous hit for businesses, maybe the cloud really IS the future. So how do we answer the questions if we were the cloud vendor?
First off, I would probably try to integrate existing security technologies into a cloud environment. Having clients use certificates may be a bit much since (I think) they would have to sign each file stored in the cloud. Or just encrypt the whole thing with BitLocker or some other low level encryption tool. I could provide VPN access to a dedicated RRAS server, or utilize RPC over HTTPS technology for each client to protect transmission. Audits will need to be done on file access routinely to prove to clients their data is not compromised. Backup routines and replication topologies will have to be disclosed too.
Regardless, I would also HAVE TO protect myself as the vendor. If maintenance was neglected by the client, it must not be blamed on me. I guess risk management works both ways.
Who knows if these existing security technologies will be enough working together in a cloud environment? Maybe we need an entirely new security scheme. Maybe the cloud technology that’s out there isn’t built on security and needs to be revised from the ground up. If the cloud really is the future, security needs to play a primary role. At least that much is certain.
(Some content references the July 2010 issue of Redmond Mag in an article entitled Cloud Visibility by Jeffrey Schwartz. Just giving credit where it is due.)
What are your thoughts? Has anyone pentested against a cloud? What have you run into?
July 13, 2010 at 4:37 pm #33743KetchupParticipant
I can’t stand this buzzword, “cloud computing.” That’s gotta be up there with some of the worst ones to come out of some CIO magazine. I think that the same security concerns that have to do with any hosted services apply here.
July 14, 2010 at 3:43 am #33744partekParticipant
I can’t stand this buzzword, “cloud computing.”
I totally agree. I have seen the term “cloud computing” mean so many different things. Honestly the “cloud” should really only reference real on-demand offerings like those of SaaS, PaaS, and IaaS. All too often I’m seeing this term applied to generic virtualization in the datacenter such as VMWare and Xen as well as your run-of-the-mill webhosting that’s been around forever.
While the interface to some of these services may be new, the real security implications are not. What we’re seeing happening now is that large organizations are being lured to the ‘cloud’ by the analysts selling them the idea that they could save tons of money. Some organizations should have absolutely no issue moving their data out of the datacenter, as long as they keep as much control around it as is necessary.
On the other hand, a hospital or anyone else handling confidential information still needs to have full control around where that data lives, how it’s backed up, and how it is disposed of. Unfortunately the ‘cloud’ offerings as they stand today can’t guarantee those controls.
I think the “cloud” is a great enabler and even though it’s really nothing new, the marketing machine behind it actually can bring about some interesting change in the industry.
It seems every day I see an article or question about security and data governance with regards to the “cloud”. Given that there are so many questions around it, there is obviously real interest. With interest(and some cash), we’ll likely be seeing some real solutions coming out of the marketplace in the near future.
- You must be logged in to reply to this topic.