Sony PSN hacked by Lulzsec. Attacks on the IMF By Nation State Google Docs at risk. The Cloud is a pretty scary place.
You have to feel sorry for those IT Directors. For years they’ve been trying to get us to care about security. Now they want to rush out and buy Clouds, and we all start saying “but what about security?”
And we’re right to be concerned: security clearly is a major issue for the Cloud. The number of breaches proves it. (And we’re only hearing about the high profile ones – how many lesser breaches happen every day?) At the same time, we’re mostly asking the wrong question. “Is the Cloud safe?” is meaningless. Security isn’t about absolutes.
Think of it this way. Imagine that you’re a cybercriminal looking for a target. You’ve identified two options:
1) LockedDown Ltd stores its data in a private datacentre. Firewalls everywhere. Strong database encryption. Intrusion detection. You name, they’ve got it.
2) FreeFloating Corp, on the other hand, is in the Cloud. Public access via the web. Only a few passwords to crack and you’re in.
Where would you start?
Now let’s drill into the scenario a little. Lionel from LockedDown is about to go on a sales trip. He needs his client list while he’s out, so he extracts it from the database and saves it to a spreadsheet. He emails this spreadsheet to his Hotmail account so he can access it easily from the hotel. Encrypted? He doesn’t know how. Fred from FreeFloating is on a trip too. His data is in the Cloud, so he accesses it the same as ever. All the standard security systems are still in place.
Now who’s looking vulnerable? Security isn’t about systems and policies. It’s about people and how they behave.
If you look at the way people in most organisations behave, then you start to uncover stuff that’s every bit as scary as the Cloud. For example:
A lot of organisational data is stored in multiple places. There may be a master database in a highly secure environment, but people take extracts into spreadsheets for analysis. They run Access databases on machines under the desk. They email copies to their home accounts. They cut DVDs and put them in the post. The master database is secure, but the data isn’t.
People work in ways and places that were never envisaged when their corporate security policies were written. For example, they have devices such as iPads and smartphones. Their customers expect them to be available on those devices.
So to get their jobs done, they have to fly under the radar. It’s not just that the corporate security infrastructure is ill-fitted to protect them on those devices – they have to actively bypass that infrastructure, and whatever protections it can provide, in order to use them.
Many organisations, especially small and medium companies, lack the expertise to secure their systems. Most system administrators are generalists: they configure systems, deal with users, run backups, manage budgets, etc. They don’t have time to deal with the ever-growing list of security vulnerabilities. Only the largest organisations have the budget to employ security specialists. And the hackers – they spend their entire budget on understanding security.
Even if there is an internal security team, the odds are weighted against them. They need to cover every aspect of every system, while an attacker just needs to find a single chink. There’s a huge asymmetry there.
Weigh up all these factors, and you might find that the Cloud is at least as safe as many organisations’ internal systems. Putting data into the Cloud might even increase security if it changes some of these behaviours. If people can share data without bypassing security controls, for example, then they will no longer need to download it to USB keys. Or if they can run analytics in the Cloud, then they will no longer need to extract data into local spreadsheets. And so on.
And, as every vendor will tell you, the Cloud vendors have little option but to hire security specialists and build the best possible security infrastructure – their business depends on it. Having access to such an infrastructure would be a big step forwards for many organisations. (Although they need to be careful here: there’s a huge variation in the vendors’ ability to deliver on their promises.)
The Cloud is a more nuanced place than most commentators will allow. It’s neither pure hype nor a cure for all the world’s ills. Rather, it’s a set of tools that may let organisations make new trade-offs in the way they access computational resources. Security is one of those trade-offs. And, for many organisations, it may actually be a pretty good one.