What People REALLY Mean When They Say “THE Cloud” Is More Secure…
Over the last two days, I've seen a plethora (yes, Jefe, a plethora) of trade rag and blog articles espousing that The Cloud is more secure than an enterprise's datacenter and that Cloud security concerns are overblown. I'd pick these things apart, but honestly, I've got work to do.
<sigh>
Here's the problem with these generalizations, even when some of the issues these people describe are actually reasonably good points:
Almost all of these references to "better security through Cloudistry" are drawn against examples of Software as a Service (SaaS) offerings. SaaS is not THE Cloud to the exclusion of everything else. Keep defining SaaS as THE Cloud and you're being intellectually dishonest (and ignorant.)
But since people continue to attest to SaaS==Cloud, let me point out something relevant.
There are two classes of SaaS vendors: those that own the entire stack including the platform and underlying infrastructure and those those that don't.
Those that have control/ownership over the entire stack naturally have the opportunity for much tighter control over the "security" of their offerings. Why? because they run their business and the datacenters and applications housed in them with the same level of diligence that an enterprise would.
They have context. They have visibility. They have control. They have ownership of the entire stack.
The HUGE difference is that in many cases, they only have to deal with supporting a limited number of applications. This reflects positively on those who say "Cloud SaaS providers are "more secure," mostly because they have less to secure.
Meanwhile those SaaS providers that simply run their appstack atop someone else's platform and infrastructure are, in turn, at the mercy of their providers. The information and applications are abstracted from the underlying platforms and infrastructure to the point that there is no unified telemetry or context between the two. Further, add in the multi-tenancy issue and we're now talking about trust boundaries that get very fuzzy and hard to define: who is responsible for securing what.
Just. Like. An. Enterprise. 🙁
Check out the Cloud model below which shows the demarcation between the various layers of the SPI model of which SaaS is but ONE:
The further up the offering stack you go, the more control you have over your information and the security thereof. Oh, and just one other thing. The notion that Cloud offerings diminish attack surfaces is in many cases a good thing for sophisticated attackers as much as it may act as a deterrent. Why? Because now they have a more clearly defined set of attack surfaces — usually at the application layer — that makes their job easier.
Next time one of these word monkeys makes a case for how much more secure The Cloud is and references a SaaS vendor like SalesForce.com (a single application) in comparison to an enterprise running (and securing) hundreds of applications, remind them about this and this, both Cloud providers. I wrote about this last year in an article humorously titled "Cloud Providers Are Better At Securing Your Data Than You Are."
Like I said on Twitter this morning "I *love* the Cloud. I just don't trust it. Sort of like why I don't give my wife the keys to my motorcycles."
We done now?
/Hoff
Categories: Cloud Computing, Cloud Security
So the wife/motorcycle thing- is that to protect the wife or the motorcycle?
Hoff, nice post.
You've made the statement:
Meanwhile those SaaS providers that simply run their appstack atop someone else's platform and infrastructure are, in turn, at the mercy of their providers. The information and applications are abstracted from the underlying platforms and infrastructure to the point that there is no unified telemetry or context between the two. Further, add in the multi-tenancy issue and we're now talking about trust boundaries that get very fuzzy and hard to define: who is responsible for securing what.
This situation resembles the approach used with the ASPs of 8 – 10 years ago, as they tried to condominiumize application platforms (like Oracle or Siebel), assuming that because they simply had the infrastructure under their centralized management, they could make money and provide the mid-market with access to the same systems the big boys used. We know how the ASP experiment turned out.
Today's situation, in which the descendents of ASPs have a better chance to deliver SaaS built on someone else's platforms and infrastructure, is just that … better, but by no means "secure"… nor performant, nor resilient … just because they're in the cloud.
I like the additions to your Taxonomy & Ontology, though (per yesterday's conversation) you may need to add the "MIA" lable to Coghead.
To Rich Miller
You are shifting the point of the article. Security is not a business model. It requires a good deal of control over the underlying infrastructure, otherwise you'll always have the issue of the unsecure backend.
Which is something that even enterprise hosted systems tend to do 🙂
I wrote a brief article on this yesterday
http://www.shortinfosec.net/2009/02/securing-appl…
Bozidar Spirovski
http://www.shortinfosec.net
One thing that nobody's talking about in this regard is the greatly expanded attack surface for DDoS.
With cloud computing, it's absolutely imperative that a) the architecture and all ancillary infrastructure is made as resilient, redundant, and defensible as possible, b) that cloud providers have complete visibility into their network traffic and the behaviors and performance of their back-end systems, all the way to the layer-7 transactions, b) that cloud providers have opsec personnel, systems, and procedures in place to deal with DDoS, c) that cloud providers have the relationships in place with their peers/upstreams/downstreams and the operational community at large so that they can quickly enlist help in dealing with DDoS, and d) end-customers take DDoS into account for their own infrastructure as well as in terms of cloud provider diversity.
Hoff,
What would make you trust "the Cloud"? Scrap that… stupid question…
What would make you trust SaaS providers?
Allen asked "What would make you trust SaaS providers?"
Generally, my CEO or CFO. 🙁
I don't "trust" third party vendors with my data. I never will. I simply exercise the maximal amount of due diligence that I am afforded given prevailing time, money, resources and transparency and assess risk from there.
Even if the data is not critical/sensitive, I don't "trust" that it's not going to be mishandled. Not in today's world.
I'm not trying to be elusive and lofty in my response, that's just how I roll.
/Hoff
/Hoff