The Great Cloud Security Challenge: I Triple-Dog-Dare You…
There’s an awful lot of hyperbole being flung back and forth about the general state of security and Cloud-based services.
I’ve spent enough time highlighting both the practical and hypothetical (many of which actually have been realized) security issues created and exacerbated by Cloud up and down the stack, from IaaS to SaaS.
It seems, however, that there are a select few who ignore issues brought to light and seem to suggest that Cloud providers are at a state of maturity wherein they not only offer parity, but offer better security than the “average” IT shop. What’s interesting is that while I agree that “Cloud Security is not insurmountable,” neither is non-Cloud security — but it’s sure as hell not progressed much in 40 years.
What’s missing is context. What’s missing is the very risk assessment methodologies they reference in their tales of fancy. What’s missing is that in the cases they suggest that security is not an obstacle to Cloud, there’s usually not much sensitive data or applications involved.
Ignore the U.S. CIO’s words of wisdom when he discusses the reality of security and moving to the Cloud. Ignore the CIO’s and CISO’s of the Fortune 500. Ignore everything in my Cloudifornication presentation and recent issues related to such. Ignore pragmatism.
Take my challenge instead…Here’s my dare:
- I’ll pay for an AWS EC2 instance for a month
- You choose the OS and LAMP stack components you’ll deploy in this AMI
- You harden it however you see fit, but ensure the web server can be reached via port 80 from the Internet*
- You put a .txt file somewhere on a readable filesystem (mounted) or create a row in a DB accessible via the web server
- This .txt file or row in the DB contains the following: Your name, (billing) address, social security number, credit card number, mother’s maiden name and your bank’s ABA routing number and checking account number
- I’ll invite some people I know to test your hypothesis for you
Let’s see if they want to put their money (literally) where their mouths are? After all, they claim that Cloud providers will be able to secure their applications and data.
I triple-dog-dare you.
The only diatribes that we ought to be spared from are those that themselves don’t offer a balance of reality, responsibility and maturity as those they accuse of doing the same.
It’s not that Cloud deployments *can’t* be at least as secure as non-Cloud deployments with appropriate adjustments. My issue with these wanderlust expressions is that the implication today that Cloud providers not only achieve parity but also exceed it — and that Cloud providers have some capability or technology the rest of us do not — given the challenges we have, is incredulous.
I’m all for evangelism, but generalizing about the state of security (in Cloud or otherwise) is a complete waste of electrons. Yes, Cloud brings us opportunity and acts as a forcing function and we *will* see improvements, but NOT because we put blinders on and pretend that the delivery model (Cloud) will fix 40 years of legacy computing challenges — especially since Cloud is built upon most of them in the first place!
* Feel free to use SSL if it makes you feel any better.