The Great Cloud Security Challenge: I Triple-Dog-Dare You…
I TRIPLE-DOG-DARE You!
There’s an awful lot of hyperbole being flung back and forth about the general state of security and Cloud-based services.
I’ve spent enough time highlighting both the practical and hypothetical (many of which actually have been realized) security issues created and exacerbated by Cloud up and down the stack, from IaaS to SaaS.
It seems, however, that there are a select few who ignore issues brought to light and seem to suggest that Cloud providers are at a state of maturity wherein they not only offer parity, but offer better security than the “average” IT shop. What’s interesting is that while I agree that “Cloud Security is not insurmountable,” neither is non-Cloud security — but it’s sure as hell not progressed much in 40 years.
What’s missing is context. What’s missing is the very risk assessment methodologies they reference in their tales of fancy. What’s missing is that in the cases they suggest that security is not an obstacle to Cloud, there’s usually not much sensitive data or applications involved.
Ignore the U.S. CIO’s words of wisdom when he discusses the reality of security and moving to the Cloud. Ignore the CIO’s and CISO’s of the Fortune 500. Ignore everything in my Cloudifornication presentation and recent issues related to such. Ignore pragmatism.
Take my challenge instead…Here’s my dare:
- I’ll pay for an AWS EC2 instance for a month
- You choose the OS and LAMP stack components you’ll deploy in this AMI
- You harden it however you see fit, but ensure the web server can be reached via port 80 from the Internet*
- You put a .txt file somewhere on a readable filesystem (mounted) or create a row in a DB accessible via the web server
- This .txt file or row in the DB contains the following: Your name, (billing) address, social security number, credit card number, mother’s maiden name and your bank’s ABA routing number and checking account number
- I’ll invite some people I know to test your hypothesis for you
Let’s see if they want to put their money (literally) where their mouths are? After all, they claim that Cloud providers will be able to secure their applications and data.
I triple-dog-dare you.
The only diatribes that we ought to be spared from are those that themselves don’t offer a balance of reality, responsibility and maturity as those they accuse of doing the same.
It’s not that Cloud deployments *can’t* be at least as secure as non-Cloud deployments with appropriate adjustments. My issue with these wanderlust expressions is that the implication today that Cloud providers not only achieve parity but also exceed it — and that Cloud providers have some capability or technology the rest of us do not — given the challenges we have, is incredulous.
I’m all for evangelism, but generalizing about the state of security (in Cloud or otherwise) is a complete waste of electrons. Yes, Cloud brings us opportunity and acts as a forcing function and we *will* see improvements, but NOT because we put blinders on and pretend that the delivery model (Cloud) will fix 40 years of legacy computing challenges — especially since Cloud is built upon most of them in the first place!
See here.
/Hoff
—
* Feel free to use SSL if it makes you feel any better.
Very well put!
Is it OK if I encrypt everything besides name and billing address? 😉
Interesting. What happens if they get the details?
Enjoyed the article. Very well said indeed. In full disclosure, I work for a cloud provider myself, MX Logic, which was acquired by McAfee a few months ago. You're 100 perecent right. I don't think Cloud providers have some capability or technology that others don't. As you rightly point out, the cloud doesn't eliminate security concerns. It is in fact a different delivery model.
However, I do think that cloud providers have what a lot of end users don't have – focus, time & resources. For me at least, it's not about "cloud" technology vs. "non-cloud" technology. Instead, it's about "outsourcing" or doing it "inhouse"? Sure, I could change the oil on my car as well as Jiffy Lube? I have access to the same tools and oil they do after all. But even if I could do it better than they could, could I do it as efficiently or as cheaply (considering the cost of my time)? Dumb analogy, but you see my point.
Anyhow, I enjoyed reading your article and thought I'd throw this out there.
Funny, I though Hilton must work for a cloud provider.
@Charles,
Yes there are some efficiencies and cost reductions possible due to critical mass. Marcus Ranum posted yesterday (Tenable blog) from a round table discussion (IANS) on cloud security that different environments and delivery models can bring new unforeseen problems, and extraplolation from enterprise environment to the cloud, case in point encryption, should not be assumed to just work as expected.
Chris –
I don't understand the point of your challenge. Would the "people you know" have less success in a privately-hosted environment configured the same way?
Pete
@Pete
Actually, you didn't miss the point at all — you highlighted it.
The people doing much of the squawking about securing the Cloud appear never to have actually held positions in security system administration, operations, engineering or architecture.
They flap their wings about how others ought to do things but when push comes to shove — and this is the point of my challenge — I bet many of them wouldn't know their ass from their elbow when it comes to that which they preach.
The "people I know" and the "people who have commented on this blog" ask a lot of good questions ("can I encrypt?" as an example) and most specifically the first question they'd likely ask is whether or not, based on an assessment of risk, an application or specific content even belongs in a Cloud environment given the *current* state of capabilities.
But surely you knew this already…
/Hoff
Chris –
Okay, so your point is not that the cloud is necessarily more (or less) secure than non-cloud environments, but simply that each has a level of risk associated with its context, right? in that case, I agree wholeheartedly (though I believe the starting risk level is a bit higher for cloud than private environments).
Thanks for the clarification – I thought you might be suggesting that the cloud is less secure.
Happy New Year,
Pete
@Pete
Correct.
There are certainly limitations in massive scale public clouds based upon limited visibility and co-dependency with the security capabilities of the provider, but that doesn't mean (as I stated) that compensating controls cannot be deployed — to an appropriately managed level of risk.
As with most things, this comes down to maturity. Cloud is as secure or insecure as you choose to make it based upon whom you chose to use as a provider and what you put in place to keep them honest or supplement their capabilities — but there's no magic pixie dust here (as usual.)
The problem I have with the folks who take the opposite stance — that Cloud is MORE secure — based on simple conjecture or assertion that because they *must* be more competent in these area of security is that they don't offer empirical proof as such AND they ignore issues we're already experiencing.
Happy New Year to you too, Pete.
/Hoff
Hoff c'mon!
Your challenge is ridiculous! (and lame…)
Why ridiculous? Because there is almost absolutely no upside for a would-be adopter and quite substantial downside. As it stands right now, it is a rhetorical challenge (aka troll) and you shouldn't expect (i am sure you don't) anybody to take it
Why lame? Because even if somebody actually accepts it, successful completion of the challenge does not constitute prove or bear any relevance on the validity of the hypothesis that "cloud providers have better security posture than average IT shops" while failure doesn't help to disprove the hypothesis either.
For the above I am assuming "success" to be defined as the event in which a month after its deployment the adopter's PII remains not disclosed to the "people you know" or that even if it was disclosed to them, such disclosure wasn't strictly attributable to their actions on the cloud provider's infrastructure.
you said:
>I triple-dog-dare you.
>
>The only diatribes that we ought to be spared from are those that themselves don’t offer a >balance of reality, responsibility and maturity as those they accuse of doing the same.
but your own triple-dog-dare doesn't seem very balanced either… it reminds me of security vendors claiming that their product uber-ultra-umbra-secure and organizing "hackme" contests with cash prizes to support their claims by showing that none of the contestants succeeded, only here it a contest without cash prizes for the potential winners.
I'm quite sure you can come up with a better (and still empirical) way to make your point
@ivan
"it's a rhetorical challenge" < That's right.
As to your other comment:
"Because even if somebody actually accepts it, successful completion of the challenge does not constitute prove or bear any relevance on the validity of the hypothesis that “cloud providers have better security posture than average IT shops” while failure doesn’t help to disprove the hypothesis either." < That's right.
So, if you go re-read the post and then read the comments, it should become very clear to you exactly what my point was and why I made it the way I did.
If it's not apparent, perhaps you might read my other blog posts on the topic of cloud and recognize that I have always said that Cloud is as secure as you AND your provider make it.
Perhaps HTML5 will have "< sarcasm > and < /sarcasm >" tags.
/Hoff
@Hoff
I understood the post when I read it the first time, reading it again did not make a difference, I am also very familiar with your previous posts and publications about cloud computing security.
I was criticizing the form of your blogpost -daring people to take a challenge that would yield no benefit to them and would not prove anything anyway- not its substance , the sarcasm of your triple-dog-dare was diluted when you ended the blogpost on a more serious note and hence I thought you actually did mean to find participants for your open challenge
@ivan
Sigh.
I have a serious but slightly off-the-wall question. How are we to pronounce IAAS? is it… Arrrseee? because if so, we need a new acronym!
/out
Help me understand something. From a security standpoint, how or why does Amazon's EC2 come in the picture here? You are challenging basic web application security practices. Why would a secure web application suddenly find itself weakened by moving to a cloud provider hosting space?