You Use Cloud Computing - Is it Secure?
Author: Clareity Consulting (www.callclareity.com)
Don't forget information security in your rush to use cloud computing! "Aha!" you might say, "I don't use cloud computing." But maybe you do! Facebook, Google Apps, Salesforce.com, and Quicken Online all use "the cloud", as do some of the hottest real estate applications like CloudCMA and RBI.
What is cloud computing? In a nutshell, it refers to a remotely hosted, available-from-anywhere, Internet-based software, platform, or infrastructure. Before cloud computing, when you wanted to find hosting for a web application, you had to buy or lease servers, a rack in a data center, and bandwidth - with cloud computing you click a button and you have a virtual server hosted across a huge data center infrastructure that you didn't have to set up - click again, and you have more virtual servers, again spread out over many servers and maybe even several data centers. The barrier to entry to starting a technology business is lessened, system administration costs are lowered, and as a result it paves the way for new opportunities. Vivek Kundra, our government's CIO, says, "I believe it's the future. It's moving technology leaders away from just owning assets, deploying assets and maintaining assets to fundamentally changing the way services are delivered." There you are - cloud computing is a garden of Eden.
But every Eden has an apple, and for cloud computing, that apple is information security.
But first, let's point out some of the security advantages of the cloud. Most clouds are hosted by companies, such as Google, Amazon, and Microsoft, which have dedicated information security staff monitoring the cloud at all times, and which have a greater investment in security infrastructure than many other companies do in their own infrastructure. The potentially massive resources of a cloud computing infrastructure make it more difficult for a distributed denial of service (DDoS) attack to take down your environment. If there is a security breach, it's easy to redeploy a massive server farm from a single "secure" master image and be up and running again quickly - and if there are infrastructure issues at fault during the breach, you can get support from your cloud provider.
So, what are some problems with cloud security? I mentioned the capacity to scale to address denial of service attacks, but your company has to pay for those server resources and for that burst in bandwidth. You may have offloaded responsibility for infrastructure administration, but that means you are trusting your vendor's security model, have issues with indirect administrator accountability, don't have access to the underlying computer logs (beyond your virtual environment) - and there's a lack of transparency in proprietary cloud implementations that can make system administrators nervous. Depending on the cloud, your data may also be spread out across servers and networks that you no longer physically control - some clouds even dispersing your data to other countries where you have less legal control over it. If you have invested in hardware based security capabilities (firewalls with web filtering, layer 7 (application) protections, anti-spam, and intrusion prevention systems) you will have to replace those with software that works in the cloud - and that market is still in its infancy so you might not find a replacement to suit your needs. The security of virtual operating systems is easy to manage, but still your own responsibility, and you are dependent on the security of that virtualization system (a "hypervisor") to keep your systems and data isolated from other cloud tenants. Maintaining many levels of encryption - for the control interface, administrator access, application access, and for data at rest - is still challenging in many cloud environments.
With a dependency on a cloud infrastructure, it can be difficult to respond to some issues that arise during a security audit, and if there is a breach, you can no longer 'bag and tag' the hard drives in question to evaluate forensically and maintain as forensics evidence. Cloud forensics *must* evolve because, while I mentioned how easy it is to re-create a server farm in the cloud environment, the first step in recovering from a breach is to figure out what went wrong and make the changes needed so it never happens again - redeploying a vulnerable server quickly has limited value. Finally, the cloud is an attractive new target for hackers. Even if a hacker doesn't care about your application, they may be going after another company hosted on the same infrastructure as your own application is, and you might get the fallout from their attack.
So, cloud computing is hardly a computing garden of Eden - but we don't live in that garden today and we get by. We have to evaluate our risks, make our decision, and manage our risks as best we are able. Cloud computing isn't a fad - it's here to stay. I'm sure that the computer security market will catch up to overcome the security challenges - after all, there will be money to be made there. I think there is tremendous opportunity, at least in the long term, for the cloud environment to end up with significant security advantages over traditional deployment - and I'm looking forward to that time.
Postscript: I received a question 'off line' asking about whether an app in the cloud can be PCI DSS Compliant - compliant with the credit companies' rules for taking credit cards. The common wisdom is no, not in the 'public' cloud. However, if one has a private cloud, or a secure community cloud develops, those clouds could theoretically be PCI compliant.
Here are some other folks' opinions who unpack the answer to this question in some depth:
What Does PCI Compliance in the Cloud Really Mean?
"PCI Compliance" and "Public Cloud" don't mix
About the author:
Matt Cohen is Clareity Consulting's Chief Technologist and leads its security assessment practice. Matt has spoken at many conferences, workshops, and leadership retreats around the country on security-related topics, and is a well-regarded real estate industry expert on real estate technology and information security. Clareity Consulting (www.callclareity.com) was founded in 1996 to provide management and information technology consulting to the real estate industry.
Home Page |
The Company |