Security and the Cloud - Still an Issue?

By Richard Porter-Roth posted 06-13-2012 18:32


I was at a cloud conference last week and “security” was again a top issue for both attendees and developers. Quite frankly, I was surprised. Several days later I read a blog about cloud computing and one the responders said he thought there were too many security issues with cloud computing and he would not recommend it for his company. I asked him to outline the security issues and he hedged citing only common problems that any company, whether a cloud company or not, would have such as a stolen password, or an IT security lapse.  After several go-arounds, no one responding to the original blog came up with a security problem that could not happen at their own company. So, Cloud Computing does not enable any new security flaws that were not or do not exist in your own company.

I will say that most of us have two overriding fears, which I am reminded of in this quote: “Mr Dillinger”, asked the very brave radio journalist “Why do you rob banks..?” “Because”, Dillinger replied “that is where the money is.” On its own, ACME LLC is a non-descript 800 person company that no data hacker would likely ever know about let alone try to hack into. But, as part of a cloud-based datacenter, ACME LLC does become an inadvertent target having put its “money” in the “bank.” I'm thinking any data center looks like a target rich environment to a hacker.

If a hacker did get into a CSP (cloud service provider) datacenter, it is possible, but not probable, that the hacker could get access to information stored in the data center. But we should consider two scenarios. The first is that the hacker has gained access to ACME LLC’s account through social engineering and once in the account “may” (depending on the password received) be able to see all ACME's data but most likely only the data controlled by that password. The second scenario is that the hacker actually gains privileged account access to the data center and is able to “roam” around at will. BTW, the Cloud Security Alliance (CSA) lists the top threats to cloud computing here or you can see the CSA site itself,

The second overriding fear is that my data is in a datacenter, who knows where, and if my Internet connection is down I can’t do business. Loss of an Internet connection can be due to things that are out of our control – the cable has been cut (actually happened to me when a PG&E crew severed the cable while digging), ISP is down, a catastrophic event has occurred and everything is down. For these three, there is not much you can do if you are a single physical place company, but let’s look the difference between your company data center and a CSP data center.

If you host your own data, loss of the Internet and an ISP “may” not affect you as your data is on your internal servers and network. In this case, the CSP loses to your internal network but take note that any VPN or Internet clients are out of luck. If it is the case of a catastrophic event in which everything is down, including your own power, datacenter, etc. the CSP would win because the CSP will have multiple data centers that are geographically separated, and will have multiple ISPs so that if one ISP is down, another picks up. Most CSP data centers have their own backup power and backup systems to enable the site to continue to operate through all but the most trying disasters. Most SMBs, and even larger companies, do not have a data backup that is done in real time and there would most likely be several days before they were “up and running” with the backup tapes. Most SMBs, and many larger companies, are not prepared to operate during a disaster and do not have their own power supplies and multiple ISPs.

In a major disaster scenario, it would be possible for you to travel outside of the disaster area and re-establish a connection to your CSP or if you had a second office, the second office would be able to continue working without interruption. Note that if there was a major disaster, many people will not be working for several days to weeks.

But that is the big picture. What are your security concerns about moving and operating in the Cloud?

#cloudcomputing #Collaboration #Security #cloudcontentmanagement


06-20-2012 07:26

I have often found folks in IT Security & RIM to be too quick to say "no you can't do that". Always a mistake but with the tech generation it's a huge mistake. You suddenly became a non whatever, circumvention now starts and they will show you how many holes you really have. Remember the survey that showed some 70% of this generation does not believe all the company policies apply to them.
No matter what the setup, security is an issue. The person with the "keys to the kingdom" is just as bad as the employee who hands over their badge for $$ so someone can go into work on a Saturday morning (no one really looks at the badge picture) to find a loose laptop. Worse they log into work from home for $$ and access (rightly) data that they let others (wrongly) see, etc. Oh yes, this happens more than you know.
Cloud security needs to be checked, verified and monitored just like anything. But it is different and outside control of our wall (the control thing we really, really hate as we love control). Risks are risks an there will be records that will stay within control when needed to make it easier to meet an regulatory issue. I have found for a decade that the server hosting companies have been better at security than many internal groups. Especially when it came to server/network patches and updates.
We will strike the right balance between what can be in the cloud and what needs a very high end, tight control. The human factor will make it harder than it needs to be though. "C'est la vie"

06-19-2012 21:40

It is amazing to see a high number of IT professionals building a stone wall between reality and practicality when it comes to security in the cloud. When we hear this argument, you are usually talking to a close-minded individual that has not done their homework, has not wanted to do any research and is only interested in protecting their environment and infrastructure that they can keep building and perpetuating, year after year. These very same people are using consumer oriented services in the cloud and can't face the reality that they also work in business, and in many cases, work even better!

06-19-2012 16:43

Great post. I find security is a tool in the back pocket of IT managers to avoid the Cloud and protect their domain.

06-18-2012 17:29

See the article in Computerworld
"Though companies are increasingly tightening their BYOD policies, most have yet to address the use of consumer apps and services such as cloud storage on mobile devices."
"Cloud data centers are becoming high-value targets" of data thieves, said Hinchcliffe, raising the possibility that "someone inside the company with the keys to the castle" could be bribed to share data with hackers. "There's a lot of temptation," he added.

06-18-2012 08:25

As you mention in the beginning, security concerns consist of the same flavor for both on-premise and cloud hosted systems. My basic rule of thumb is that if your information is accessible when you aren't physically plugged into your company's network, it is vulnerable.
In fact, unless you are a large organization, you are more vulnerable. The odds are that the Cloud Providers have much better security experts on the payroll than you have at your company with POSSIBLE exceptions for large corporations or government agencies.
As for the hackers, most are either out to prove a point or have some fun. Those trying to have fun look for the point of least resistance or target well-known organizations that will earn them cred for breaking into their systems. Those with a point are targeting specific organizations to prove a point and it doesn't matter where your information is in that situation. If they want to make an example of you, they will.
The real issues are legal and revolve around information ownership, privacy, and the impacts of law enforcement. Check the Megaupload case. Servers were seized and legal content is currently irretrievable. That is an odds game. The odds are in your favor, but that is our next hurdle.