Software [In]security: Partly Cloudy with a Chance of Security
The adoption of cloud-based services is a foregone conclusion. In an economy characterized by tight budgets and a laser focus on efficiency, it is impossible to argue with the cost savings associated with moving to the cloud. In fact, because everyone wants to start saving money now, the move to the cloud will not be an orderly one. If security is to have any say in the matter at all, the time is now.
Here are some key points to ponder when it comes to adoption of cloud services and their impact on security in your organization.
The Cloud Enhances Internet Security for Small Business
For the most part, good-sized enterprises have developed efficient and mostly effective network security operations by now. Security operations organizations in these enterprises generally report to the CSO. They have been tweaked and tuned for years. Some aspects of security are outsourced (monitoring, for example, or maybe threat intelligence gathering), others are run in house. The security operations machine is well-oiled and efficient. Of course there is no such thing as perfect security, but in large enterprises, network security is in far better shape than it was a decade ago.
This implies that a majority of security problems on the Internet these days are not being exacerbated by the security operations of large enterprises. And in fact, the machines being compromised in droves are owned by small and medium-sized businesses (SMBs) and consumers. Ever wonder who owns those millions of rooted machines that are regularly put together into gigantic botnets by cyber criminals? The most likely answer is your relatives and your favorite local businesses.
Cloud security can help. The more consumers and SMBs move their computing to the cloud, the better off we'll all be. That's because the operations people behind major cloud providers do a better job with network security than most SMBs do (not to menton grandma). By adopting cloud services, SMBs and consumers can instantly and automaticaly improve their network security posture (accererating from their current likely-to-be-busted state to patching unpatched systems, using modern equipment, and monitoring for security intrusion). So far, so good.
Cloud Applications are the Cloud Security Achilles' Heel
The funny thing about cloud security is that it is easier to understand than you might think at first—it aligns pretty well with how we're doing with security in non-cloud situations. We're pretty good at securing physical machines in a data center. To get concrete, consider the huge disk farms in common use in large corporations. We know (for the most part) how to secure disk farms in a datacenter, and the "disk farm in the cloud" version is likewise in reasonable shape from a security perspective.
We're getting much better at securing operating systems than we were back in the NIMDA and Code Red days (sometimes using virtualization in interesting ways and generally building better OS software). I hate to admit it since I would rather see things built properly from the get go, but automatic patching has really helped. So, borrowing cycles in the cloud in the form of a standard OS platform is, according to our mapping, something that my friend Sammy would call "pretty not bad" when it comes to security.
But there is a catch. We are not very good at all at securing applications in the non-cloud world (software security a.k.a. application security is improving, but nowhere near fast enough)...and, sure enough, securing cloud applications is both non-trivial and largely overlooked. The main problem is that cloud vendors want to talk about security features such as cryptography during any conversation about cloud applications, even though we all know that security is a property and not a thing. We've heard this song and dance before, but we can expect to hear it again and again like an overplayed Lady Gaga pop song.
Bottom line when it comes to building applications on the cloud? Get some professional help. Really. And whatever you do, don't believe that the magic crypto fairy dust the cloud vendors are peddling will magically solve all of your problems.
Does this Boil Down to Data Security?
Lets get to the bottom of this crypto thing. It is your data that you're interested in protecting when it comes to both cloud and non-cloud solutions. We seem to be pretty good at protecting data at rest (using crypto), both in the non-cloud world and in the cloud world. If your data are water, you can think of data at rest as frozen water—that is, ice. Likewise, data in motion can be thought of as steam. We can protect data in motion both in the cloud and outside the cloud (using crypto).
These two physical phases of water are interesting, but we're overlooking the most important phase of all—the water phase! Data is most interesting when we're doing actual computation on it or with it (creating, manipulating, and transforming it). The phase transitions required to move from ice to water or steam to water both leave water in its most vulnerable state. And this is the problem with cloud security (and, heck, most any other kind of security as well). Crypto can't help you much with data security while you're using the data. That's the main reason we need software security in the world.
What Can We Trust the Cloud to Do?
Ultimately, everyone just seems to want a quick answer to the trust question. But the trust-the-cloud question turns out to be exactly the same as the question "what can I trust in a distributed architecture (as opposed to, say, a mainframe architecture)?" Sounds like a silly question when you put it that way, doesn't it, because the answer is obviously "nothing!"
Probably the best move we can make is to ask a better-formulated question like, "What is the cost of creating a secure computing environment using <insert cloud platform name here>?" (An example of a cloud platform is Amazon's AWS.)
Here is where the fun begins. Because the main driver for cloud computing is cost, it is essential to raise the issue regarding security as early as you can in the conversation so that decision makers and bean counters both understand that creating any secure computing environment requires some level of cost. Since starting over with new development is likely out of the question, how much depends entirely on your current computing environment and how well it can be securely re-instantiated in the cloud vendor's environment.
You can now see why the cost question needs to dive quickly into specifics with regard to a cloud platform. Cloud platform-provided security controls (in some cases, security features) as well as collections of weaknesses both in design and implementation both vary across the plethora of platforms generally lumped under "cloud." Pick your vendor wisely and think about the applications you want to deploy before you settle on a cloud solution.
See What Security Types Have to Say
Hopefully, these thoughts will help you keep security on the radar as the inevitable rush to the cloud continues. I formulated and articulated some of these ideas during a panel on cloud security held April 7, 2011 at NIST in Gaithersburg, MD. During the panel, I discussed a number of cloud security basics with Steve Lipner of Microsoft, JC Moses of Amazon, Jonathan Smith of Penn, and Jeremey Epstien of SRI. A copy of the filmed panel can be seen here as well as a number of questions that we thought through before the panel took place.