Okay, for quite a while I’ve wondered what the big deal was about cloud security. The “Cloud” is a buzz word nowadays that, to me, seemed like nothing more than that. As time has progressed over the past year or so, the buzz word isn’t going away. Microsoft is pouring over Azure, VMware, Google… it seems like most large vendors see the cloud as the future. But, the big hurdle most businesses seem to be stuck on is the idea of “cloud security.”
So I think to myself, “What the heck is that anyway?” What makes cloud security any different than regular security?
On a journey that is still incomplete, I decided to investigate. In my mind, I would say the security of my data in the cloud means I don’t have control over it anymore and it scares me. Could it really be that simple? If so, I would guess the marketing big shots would have evangelized their pants off because there is big money to be had, and it would have been all over by now. But we still see hesitancy in businesses to adopt wholeheartedly.
What else is going on? Let’s take a hospital for example, privately owned. The IT department is sold on the increased processing power, cost savings, etc. and decides to put all their customer data in the cloud. Suddenly questions that didn’t matter before begin to emerge. Who exactly has access to these records? They say it’s encrypted, but what encryption? Whose encryption? How do we know someone hasn’t figured out how to decrypt my data? Traffic is now tunneled over the public network, what kind of measures are in place to prevent sniffing these transmissions?
The questions keep coming. What about government regulations? How do I KNOW that someone working for the cloud company doesn’t have a backdoor admin credential? Can I be liable if we lose records or the data is compromised through a vendor threat?
Other things come into consideration that may not have been worried about before. When something is deleted, how do I know it is ACTUALLY deleted? How many backups are out there that I don’t know about?
After asking these questions, whether you are comfortable or not with the vendor’s answers, does the cost savings really matter? If we keep the data in house, we’ll be paying overhead for maintenance and hardware for a data center of our own, but who cares about that if we have control over our own security? It’s about risk management, a concept CIOs and CFOs know very well but may be missing from eager IT staffers with an eye for the next greatest thing.
I’m not against the cloud, though I gotta say I am getting sick of it because I feel barraged by it. But honestly, with virtualization being an enormous hit for businesses, maybe the cloud really IS the future. So how do we answer the questions if we were the cloud vendor?
First off, I would probably try to integrate existing security technologies into a cloud environment. Having clients use certificates may be a bit much since (I think) they would have to sign each file stored in the cloud. Or just encrypt the whole thing with BitLocker or some other low level encryption tool. I could provide VPN access to a dedicated RRAS server, or utilize RPC over HTTPS technology for each client to protect transmission. Audits will need to be done on file access routinely to prove to clients their data is not compromised. Backup routines and replication topologies will have to be disclosed too.
Regardless, I would also HAVE TO protect myself as the vendor. If maintenance was neglected by the client, it must not be blamed on me. I guess risk management works both ways.
Who knows if these existing security technologies will be enough working together in a cloud environment? Maybe we need an entirely new security scheme. Maybe the cloud technology that’s out there isn’t built on security and needs to be revised from the ground up. If the cloud really is the future, security needs to play a primary role. At least that much is certain.
(Some content references the July 2010 issue of Redmond Mag in an article entitled Cloud Visibility by Jeffrey Schwartz. Just giving credit where it is due.)
What are your thoughts? Has anyone pentested against a cloud? What have you run into?
CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH