The secure enough cloud
Having spent a large part of my career working in information security, both at Microsoft and Amazon Web Services, I tend to read a lot of security news -- especially when it invokes "cloud." (Indeed, at the New York Cloud Expo in June, I'm delivering an entire presentation on cloud security.) A very interesting bit of news crossed my RSS reader the other day. A couple quotes:
The idea is to reduce vulnerabilities inherent in the current architecture and to exploit the advantages of cloud computing and thin-client networks, moving the programs and the data that users need away from the thousands of desktops we now use -- up to a centralized configuration that will give us wider availability of applications and data combined with tighter control over accesses and vulnerabilities and more timely mitigation of the latter.
This architecture would seem at first glance to be vulnerable to insider threats -- indeed, no system that human beings use can be made immune to abuse -- but we are convinced the controls and tools that will be built into the cloud will ensure that people cannot see any data beyond what they need for their jobs and will be swiftly identified if they make unauthorized attempts to access data.
These words are from Gen. Keith Alexander, chief of the U.S. Cyber Command, in testimony to Congress during March. Especially notable is the chief's view that clouds can be built suffiently secure, while they have yet to prove their promised savings of manpower and money. Wow!
It reminded me of a reglar mantra from my security talks: the answer to the question of "How much security?" is "Just enough." Of course, quantifying "just enough" takes a bit of work. Alas, with so many security checklists floating across the 'tubes, it's tempting to blindly follow someone else's advice. This is exactly the wrong thing to do.
A key point to remember is that many security decisions involve making some kind of tradeoff. Bruce Schneier describes this very well in the beginning of his TED talk:
To be secure in the cloud requires trading off one form of control for another. Traditional security controls are grounded in location: if you know where something is, and you can claim ownership of it, then it's probably secure. If you don't know where something is, and someone else appears to own it, then it's probably not secure.
In the cloud, location-based security as a concept falls apart. You can't pinpoint the exact location of your data (building, room, rack, unit, drive). Someone else is the steward of your data -- though cloud providers should be clear that you still retain full ownership. Does this mean that, to achieve the promised benefits of cloud, your tradeoff requires giving up all security?
No. The tradeoff you make is one of kinds. You give up the old model and instead adopt a new one. This model is built from service level agreements, auditable security standards, and encryption plus digital signatures. You can retain control of the data even though you don't have control of the infrastructure. In one respect, the model isn't so new: we use it already for connectivity. Where shared pipes (the Internet) have replaced dedicated pipes (leased lines), we rely on the three elements to keep data in transit secure. The model extends to compute and storage, as well.
More to Gen. Alexander's point, he hints at something I call a disinterested third party. Cloud providers don't know about the context of your data and how valuable it is to you. This can reduce insider threats a lot. Providers work to build massive scale with as much automation as possible: fewer humans means fewer errors and less risk. Fundamentally, "how much security?" isn't the right question. Instead, ask yourself "how much risk?" Security decisions guided by sound risk assessment always strike the right balance and make the right trade-offs.
You might be wondering why I chose this moment -- given the recent troubles experienced by cloud providers and other online services -- to write a positive article about cloud security. One could argue that there's never a good time, so why not write when cloud security is on everyone's minds? Cloud computing solves a lot of problems really well. And it's maturing -- compared to just a couple years ago, offerings are more diverse and flexible, coming from well-known and trusted companies. If cloud security is becoming good enough for all but the most sensitive workloads of the Department of Defense, it's probably becoming good enough for the rest of us, too.
Comments