5 Reasons Why IT Security People Shouldn’t Ignore Cloud Computing
You’ve read the headlines. You’ve heard the buzzwords.
Cloud Computing just seems like hype, right?
“But it’s just another technology getting hyped to the max”.
The best case scenario is that your analysis is correct and you can go back to reading Slashdot and Daily Dave (you are reading Daily Dave aren’t you?). You can pride yourself on your ability to recognise web hysteria and laugh at the losers that invested, wrote blog posts (!) and dared to take it seriously.
OK. Now lets flip that around and just say for a moment you’re wrong - that Cloud Computing turns out to be a huge deal and takes off. What could that mean for your day job? No in-house servers to secure? No in-house security operations to deal with? No in-house penetration tests to run? No vulnerability assessment tools to run? No incident response where you actually ‘do something’?
One scenario is you find yourself on a constant round of conference calls with 3rd parties trying to ‘pin down’ security in the cloud… If you thought handling security issues associated with outsourcing was painful and slow, the Cloud will bring a multitude of competing providers that decision makers can switch from ‘digitally’ when the numbers ($$) make sense.
As the person responsible for your employer’s security arrangements, you may want to consider these 5 reasons for not dismissing Cloud Computing out of hand:
- Unless you work for an IT company, your employer did not go into business to ‘do IT’. They are in business to sell a product or a service - in-house IT may have enabled that up to now but it was out of need rather than desire. Cloud Computing has hit the cover of popular business magazines - its starting to get on the radar of CEO’s that ask questions like ‘how can I cut my costs?’, ‘how can I make my business more agile?’. They may not switch overnight, but once the first goes in a given vertical, the clock is ticking.
- The temptation to contractually outsource security responsibility. ”Our customer data got stolen from a cloud storage provider - not us - we don’t run IT!”. Sure the buck stops with the org from a regulatory perspective but media coverage around recent data leakages involving 3rd party providers elicits a mixed reaction and thus diffuses the “reputation issues” to some extent.
- The skills you need to deal with Cloud Security may be different from the skills you have today. Your “window” on Cloud security will be what the Cloud Provider gives you. Beyond that you may be able to do an on-site audit from time to time but its a shared facility so no monkey in a cage pen-testing, scanning or filesystem forensic analysis.
- There’s a large cloud forming over the horizon. The level of investment by providers doesn’t bear ignoring. IBM, Google, Amazon, Microsoft and others are ploughing hundreds of millions of dollars building out data centers specifically for Cloud Computing.
- You may just end up working for the Cloud Provider! This is something I believe will start happening in the next 2-3 years. If you need a second opinion, go see Richard Bejtlich’s blog when he shared his own perspective.
What say you? Hype or pending reality?
you meant elicit, not illicit http://dictionary.reference.com/browse/elicit
Whoops - what was I thinking of when I wrote that? ;-). Thanks Michael - good catch.
It’s definitely a reality. Right now it is still in the realm of early adopters, but the benefits to the bottom line are enormous. Just think of the cost savings, no electricity for servers, no servers, no network bandwidth to get to your servers, employees can be distributed because they can access your information anywhere, so you can have smaller offices and get smarter more progressive employees.
The big companies are always slower to adopt. They want to know the environments are proven before they get on board, it’s logical. Not all problems are well solved by cloud computing, but many are.
The real benefit is to providers of web based software like http://www.qrimp.com. We can leave the infrastructure management issues to Mosso and focus on our software. Our customers are already savvy enough to know that it doesn’t make sense to build your own server farm and bear the costs associated with that. We take that one step further and alleviate the need to write code to make software.
That kind of synergy is going to lead to an explosion and we’ve only just lit the fuse.
Randall
Thanks for your comment and sharing news of your company with everyone ;-).
I’m curious, does Mosso have a primary security contact well versed in IT security, including security incident response? Or do you get assigned a ‘generalist’ support contact? The reason I ask is that I searched Mosso’s website and wasn’t even able to find a security email contact - if I missed it - please let me know.
All the best,
Cheers
Craig
I’ve only had one security issue and spoke to a system admin about that one. It was the result of a tightening of security during a migration to IIS7, which I appreciated, so I made a change to fix the issue.
I don’t know of someone there dedicated to security issues. Most customers go to the live chat to get issues resolved and they are general support personnel. They can fix most things, but tougher issues get a ticket and passed on to specialists. I’ve also seen issues brought up in the discussion forum.
Hey Randall, thanks for replying.
Thats interesting as I would have thought a well-known shop like Mosso would provide a dedicated security contact - especially for business customers. Certainly in some verticals company security policies around incident response may require ‘established points of contact’ for security concerns.
The “selfish” reason for a vendor or service provider to have a dedicated security contact is to make sure they hear about security vulnerabilities before security mailing lists do! The standard these days is to have an address like “security@company.com” with someone well versed in security matters at the receiving end.
In fact, to put it to the test I just tried sending an email to security@mosso.com - this was the result:
Delivery to the following recipient failed permanently:
security@mosso.com
Technical details of permanent failure:: Recipient address rejected: User unknown
PERM_FAILURE: Gmail tried to deliver your message, but it was rejected by the recipient domain. The error that the other server returned was: 550 550
—
Cheers, Craig
That’s a good point. We’ll set one of those up for Qrimp.
Craig’s comment “Thats interesting as I would have thought a well-known shop like Mosso would provide a dedicated security contact - especially for business customers” illustrates how the cloud service providers view the businesses that use them — as just another user beneath the cloud.
In their perspective, the live chat link IS the dedicated security contact point for their customers (you want a dedicated PERSON — that’s going to cost you!).
Cloud computing suffers from the “if you build it, they will come” mentality. The fact that IBM, Google, Amazon, Microsoft and others are ploughing hundreds of millions of dollars into building out data centers specifically for Cloud Computing does not guarantee acceptance or success.
When the cloud finally opens up with its deluge, the users beneath the cloud will be the ones to get soaked.
Mike
@Mike: there are definitely some challenges the cloud providers need to rise to - I don’t think anyone is saying its ‘guaranteed success’. I’m interested in your comment about support - what your reasons for suggesting will be poor/negative? Thanks for commenting.
Most of the justification for cloud computing centers around cost avoidance as Randall’s comment “Just think of the cost savings, no electricity for servers, no servers, no network bandwidth to get to your servers” illustrates. Once companies succumb to the cost-cutting zeal, it is all too easy to carry this one step further and add “minimal or no support staff” (After all, we’re providing users with the live chat link and discussion forums!).
I’m suggesting that support will be poor/negative in this scenario because I don’t believe that the cloud service providers will see the value in forking over big bucks to pay someone to sit on the other end of a live chat link. As a result, the customers beneath the cloud are left to deal with people who are probably not highly trained/experienced in the field.
Security is another critical aspect that businesses need to consider before jumping on the cloud computing bandwagon.
When companies put their data in the cloud, what prevents that company’s data from being on the same physical drive as a competitor’s data?
If a business decides to change cloud service providers, how can the business be sure that the provider no longer has its data when that data exists in every backup made while the business used the provider. What might happen to that data in the future?
If one considers the users of MySpace to be similar to businesses beneath the cloud, then the recent MySpace bug can be used to illustrate this problem.
Here’s a brief excerpt describing the MySpace bug from http://www.wired.com/politics/security/news/2008/01/myspace
<>
The cloud service provider (MySpace) assured users that they didn’t need to worry about the security of their private data because the provider had already added security features for all users (Just set your profile to private and we’ll do the rest). All users of the cloud service provider received a similar level of security — and since that security turned out to be flawed, all users were equally vulnerable.
In the MySpace case, the loss may not have been catastrophic; however, if you carry the analogy over to businesses that choose to do business “in the cloud”, it could be.
Imagine if a business discovers that its main competitor uses the same cloud service provider and decides to invest a little time and money into finding a backdoor means of gaining access to that company’s secrets and proprietary data. By the time the cloud service provider, the targeted business or its customers find out that the backdoor existed it will be too late for everyone involved.
As you stated in your original post, the targeted business can say ”Our customer data got stolen from a cloud storage provider - not us - we don’t run IT!” thus preserving their reputation and allowing the deluge to flow down to the lowest level — its customers. This might be a good short term strategy for the business, but they will quickly realize that the deluge can only flow down for so long before the water rises and everyone is in over their heads.
Mike
Apr 23rd, 2008 at 2:41 pm
[…] 5 Reasons Why IT Security People Shouldn’t Ignore Cloud Computing - Craig Balding tells us 5 reasons we should be paying attention to cloud computing now. […]
Jun 19th, 2008 at 11:57 pm
[…] Security remains a question mark for many organizations that are considering moving their business apps into the cloud. Craig Balding, an IT security practitioner at a Fortune 500 company, publishes a blog called Cloud Security that does a good job of addressing these questions. He was recently interviewed on NPR’s Monday morning technology show in a segment called Cloud Computing and Security for the Masses. It’s a good overview of what cloud computing is and why the trend matters to businesses. In addition to this primer, Craig’s blog is worth browsing to get a corporate IT professional’s take on this trend, with posts like 5 Reasons Why IT Professionals Shouldn’t Ignore Cloud Computing. […]