Cloud (in)Security: A Matter of (t)Rust
Alan from the VirtualDC blog wrote a great post today titled "Cloud Security: A New Level of Trust" summarizing some of his thoughts regarding Cloud (in)security.
It's a little depressing because that "new level" of trust he's referring to isn't heightened, it's significantly reduced. I'll hack his longer post a bit to extract two interesting and relevant nuggets that focus on the notion of this changing nature of trust:
- Security has different meanings and requirements depending on the context of how a particular service is accessed or invoked.
- So moving forward, as the security people tear apart the (in)security of cloud computing, the rest of the world will just need to take that leap of trust. A lowering of our standards for what we can control in the cloud’s outsourced data model.
In simply closing our eyes, holding our breath and accepting that in the name of utility, agility, flexibility, and economy, we're ignoring many of the lessons we've learned over the years, we are repeating the same mistakes and magically expecting they will yield a different outcome.
I'll refer back to one of my favorite axioms:
We're willing to give up and awful lot for the sake of convenience, don't you think. Look, I accept the innovation and ultimate goodness that will come out of this new world order, really I do. Heck, I use many of these services.
I also see how this new suite of adapted services are beginning to break down in the face of new threats, use cases and risk models by a cross-pollinated generation of anonymized users that simply do not care about things like privacy or security — until it affects them personally. Then they're outraged. Then the next day, they're back to posting about how drunk they were at the orgy they attended last night (but they use SSL, so it's cool…)
So for me, security and the cloud is really a matter of RUST, not trust: the corrosion of expectations, requirements, controls and the relaxation of common sense and diligence for the sake of "progress."
Same as it ever was, same as it ever was…
/Hoff
More on trusting the cloud: Can you trust that someone else will do security for you? Are you sure?
But you're right. It's just the way things are built. Make it work first, then when it actually (omg) works, maybe scramble to secure it up. And the more people you have in a room creating something, the more chance the guy who pipes up about security will be guilted into submission. Then every looks aghast when a weakness is poked.
These are basic assumptions security people should have, along with, "You *will* have an incident." Assume things are built to work first, securely second. Assume progress. Assume progress means convenience will trump security whenever possible (rationality be-damned).
Maybe I just know better…I know other entities aren't just going to magically be secure and good. At least, that certainly isn't the norm. And even if you use cloud computing, doing so quietly without asking the questions and being that security asshole (there's a blog name for someone!) is a travesty.
The trust is built into our psyche and in our upbringing. And that is exactly what attackers use in most attacks.
And it will always be like that, security will be a thorn in everybody's eye. Security people just need to accept that they will always be less popular then the black plague
Bozidar Spirovski http://www.shortinfosec.net
I'm hoping that the responsibility of providing cloud computing and supporting the scalable aspect of the service allowed for some thoughts into the security of the initial architecture. This is the case where the IT is the business versus the business being supported by IT. But as always the thorn is how to provide the ongoing management and controls for continued security for such critical infrastructure that doesn't interfere with scalability and operations and also supports virtual servers. Innovation may mean looking to solve this problem with a different approach than what traditional security solutions provide today.