Pages

Sunday, January 3, 2010

Cloud Security - Concerned Much?!

Cloud Computing providers claim to have infrastructure and assets in place to ensure the security of the client's data as effectively as possible, but will these measure be enough to continue to maintain the stated security as subscribers grow and more subscribers share the same infrastructure and assets?

One train of thought regarding the cloud is that crackers may not be able to target a specific prey and thus our data will be safe. Hooray !!!

However, wouldn't the same marketing pitch regarding ease of access, lower IT costs and flexibility be tools that a cracker can capitalizes on to breach more systems?

My accountant recently stated that he was concerned about data ownership within the cloud and security within that ownership. Whilst he is looking to cut IT spending,he claims that for now, if we decide to buy cloud services it will be used for data that we can afford to lose and to create a separate virtual working environment for our contractors.

A few of my associates ask the same question, as well as “how confident can we be that our data is still ours when held within the cloud and, who holds responsibility if our “data segment” within a cloud is compromised?

Having been within security environments (both physical and virtual) for over 12 years, I always start with a worse case scenario and work up,no matter the environment.

Within the cloud one of my concerns is, what if my “neighbor” manages to access my allocated segment and use my data or utilities to commit a crime. I could have fingerprints and tracebacks pointing to my data segment with no means of disputing that I was not complicit. Then what?!

Another cause for concern is the process of accessing data stored in a cloud. In the OSI environment, we will fire up a web portal to access the Internet and hope that we are properly secured via Intrusion detection and prevention systems.

In the cloud however, how can the processes from the web portal to the application we are accessing, as well as application to application interaction or application to data interaction be kept secured?

Will we use the traditional methods of encryption and authentication and if so how can we manage and track such applications? I would venture to state that tracing participating entities down to specific functions will be time and labor intensive and thus counter productive for the cloud provider.

I recently read a case study located on microsoft.com/casestudies regarding Windows Azure which states customers,“can enhance their services with additional layers of security by implementing VeriSign SSL for encryption and authentication, just as they would in an on-premises server infrastructure environment,” sounds great right?!

But the pessimist in me responded with, well, didn't Moxie Marlinspike demonstrate techniques to defeat SSL encryption at Black Hat 2009 and as a cloud subscriber, wouldn't you also want to know how data is validated so that expectations are met for both data going out as well as coming in;and just as pertinent; how will error handling be managed by the vendor?

The list of concerns go on and on, and only time and techniques will govern how we deal with security within the cloud. I am certain that companies such as RSA or any one of the other established security providers as well as up and coming startups, will present effective encryption and authentication methods for use within the cloud and maybe in a few years we will wonder what all the fuss was about. Right?