GigaOm’s Alistair Croll on Cloud Security: The Sky Is Falling!…and So Is My Tolerance For Absurdity
I just read the latest blog of Alistair Croll from GigaOm titled "Cloud Security: The Sky Is Falling!" in which he suggests that we pillow-hugging security wonks ought to loosen our death grips on our data because not only are we flapping our worry feathers for nothing, but security in "the Cloud" will result in better security than we have today.
It's an interesting assertion, really, that despite no innovative changes in the underpinnings of security technology, no advances in security architecture or models and no fundamental security operational enhancements besides the notion of enhanced "monitoring," that simply outsourcing infrastructure to a third party "in the cloud" will in some way make security "better," whatever version of "the Cloud" you may be describing:
I don’t believe that clouds themselves will cause the security breaches and data theft they anticipate; in many ways, clouds will result in better security. Here’s why:
- Fewer humans – Most computer breaches are the result of human error; only 20-40 percent stem from technical malfunctions. Cloud operators that want to be profitable take humans out of the loop whenever possible.
- Better tools – Clouds can afford high-end data protection and security monitoring tools, as well as the experts to run them. I trust Amazon’s operational skills far more than my own.
- Enforced processes – You could probably get a co-worker to change your company’s IT infrastructure. But try doing it with a cloud provider without the proper authorization: You simply won’t be able to.
- Not your employees — Most security breaches are committed by internal employees. Cloud operators don’t work for you. When it comes to corporate espionage, employees are a much more likely target.
Of course it takes people to muck things up, it always has and always will. Rushing to embrace a "new" computing model without the introduction of appropriately compensating controls, adapted risk assessment/management methodologies and practices will absolutely introduce new threats, vulnerabilities and risk at a pace driven by supposed economic incentives that have people initially foaming at their good fortune and then fuming when it all goes bad.
This comes down to the old maxim: "guns don't kill people, people kill people." Certainly "the Cloud" alone won't increase breaches and data theft, but using it without appropriate safeguards will.
This is an issue of squeezing the balloon. The problem doesn't change in volume, it just changes shape.
Those of us concerned about security and privacy in cloud computing models have good reason to be concerned; we live with and have lived with these sorts of disruptive innovations and technology before and it really, really screws things up because the security models and technology we can lean on to manage risk is not adapted to this at all and the velocity of change eclipses our ability to do do our jobs competently.
Further bonking things up is the very definition of "the Cloud(s)" in the first place.
Despite the obvious differences in business models, use cases, technical architecture as well as the non-existence of a singularity called "The Cloud," this article generalizes and marginalizes the security challenges of cloud computing regardless. In fact, it emphasizes on one leg of the IT stool (people) to the point of downplaying via the suspension of disbelief that the other two (process and technology) are problems less deserving of attention as they are magically addressed.
To be fair, I can certainly see Alistair's argument holding water within the context of an SME/SMB with no dedicated expertise in security and little or no existing cost burden in IT infrastructure. The premise: let your outsourced vendor provide you with the expertise in security you don't have as they have a vested interest to do so and can do it better than you.
The argument hinges on two things: that insiders intent on malicious activity by tampering with "infrastructure" are your biggest risk eliminated by "the cloud" and that infrastructure and business automation, heretofore highly sought after elements of enterprise modernization efforts, is readily available now and floating about in the cloud despite its general lack of availability in the enterprise.
So here's what's amusing to me:
- It takes humans to operate the cloud infrastructure. These human operators, despite automation, still suffer from the same scale and knowledge limitations as those in the real world. Further the service governance layers that translate business process, context and risk into enforceable policy across a heterogeneous infrastructure aren't exactly mature.
- The notion that better tools exist in the cloud that haven't as yet been deployed in the larger enterprise seems a little unbelievable. Again, I agree that this may be the case in the SME/SMB, but it's simply not the case in larger enterprises. Given issues such as virtualization (which not all cloud providers depend upon, but bear with me) which can actually limit visibility and reach, I'd like to understand what these tools are why we havent' heard of them before.
- The notion that you can get a co-worker to "…change your company's IT infrastructure" but you can't get this same event impact to occur in the cloud is ludicrous. Besides the fact that the bulk of breaches result from abuse or escalation of privilege in operating systems and applications, not general "infrastructure," and "the Cloud," having abstracted this general infratructure from view. leaves bare the ability to abuse the application layer just as ripely.
- Finally, Alaistair's premise that the bulk of attacks originate internally is misleading. Alistair's article was written a few days ago. The Intranet Journal article he cites to bolster his first point substantiating his claim was written in 2006 and is based upon a study done by CompTIA in 2005. 2005! That's a lifetime by today's standards. Has he read the Verizon breach study that empirically refutes many of his points? (*See Below in extended post)
As someone who has been on both the receiving end as well as designed and operated managed (nee Cloud) security as a service for customers globally, there are a number of exceptions to Alistair's assertions regarding the operational security prowess in "the Cloud" with this being the most important:
As "the Cloud" provider adds customers, the capability to secure the infrastructure and the data transiting it, ultimately becomes an issue of scale, too. The more automation that is added, the more false positives show up, especially in light of the fact that the service provider has little or no context of the information, business processes or business impact that their monitoring tools observe. You can get rid of the low-hanging fruit, but when it comes down to impacting the business, some human gets involved.
The automation that Alastair asserts is one of the most important reasons why Cloud security will be better than non-Cloud security ultimately suffers from the same lack of eyeballs problem that the enterprise supposedly has in the first place.
For all the supposed security experts huddled around glowing monitors in CloudSOC's that are vigilantly watching over "your" applications and data in the Cloud, the dirty little secret is that they rely on basically the same operational and technical capabilities as enterprises deploy today, but without context for what it is they are supposedly protecting. Some rely on less. In fact, in some cases, unless they're protecting their own infrastructure, they don't do it at all — it's still *your* job to secure the stacks, they just deal with the "pipes."
We're not all Chicken Little's, Alistair. Some of us recognize the train when it's heading toward us at full speed and prefer not to be flattened by it, is all.
/Hoff
*You might be interested in this summary of the Verizon Breach Study:
Some of the findings may be contrary to widely held beliefs, such as that insiders are responsible for most breaches. Key findings include:
- Most data breaches investigated were caused by external sources. Thirty-nine percent of breaches were attributed to business partners, a number that rose five-fold during the course of the period studied.
- Most breaches resulted from a combination of events rather than a single action. Sixty-two percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. For breaches that were deliberate, 59 percent were the result of hacking and intrusions.
- Of those breaches caused by hacking, 39 percent were aimed at the application or software layer. Attacks to the application, software and services layer were much more commonplace than operating system platform exploits, which made up 23 percent. Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability. Significantly, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.
- Nine of 10 breaches involved some type of "unknown" including unknown systems, data, network connections and/or account user privileges. Additionally, 75 percent of breaches are discovered by a third party rather than the victimized organization and go undetected for a lengthy period.
- In the modern organization, data is everywhere and keeping track of it is an extremely complex challenge. The fundamental principle, however, is quite simple – if you don't know where data is, you certainly can't protect it.
"I trust Amazon’s operational skills far more than my own."
Do you think he trusts a professional nanny or daycare provider's skills to protect his kids far more than he trusts his own? I'm of the opinion that you offer the most protection to the things you're invested in the most. I think your second to last paragraph hints at that.
I'm reminded of an episode a decade ago in a huge federal agency which had outsourced all of its routers and servers to a well-known service provider. It was a very similar arrangement to cloud computing. The provider worries about everything. You worry about nothing… until it's too late.
We happened to hire a former Cisco engineer locally. Suffice it to say, he was a bit surprised we had outsourced all of our equipment with no admin access. Moments later he had guessed the router password in less than 3 tries. And it turned out the service provider had used the same password nationwide on literally hundreds of routers protecting ultra-sensitive information.
Senior officials spent many months trying to cover up the security disclosure. The service provider is still in place to this day. As a backup of non-sensitive, encrypted data, I'm all for Cloud Computing. Otherwise, you'd have to be nuts!
This is starting to feel like Hoff vs Crosby, round 2…