Is the Cloud a safe place for your children ?
July 24th, 2009 by fays
With the recent events around the Twitter information leaked by a hacker, the cloud computing security topic has become a most discussed trend on the web.
Just like any other hot topic, this one carries its lot of confusion among the interesting point of views that are being brought by each party.
The first source of error is that noone seems to agree on a definition of Cloud Computing. This almost resembles the SOA debate, surprisingly (or not), you will find the same players behind.
So what is the Cloud Computing ? Answers are various: Platform, services, applications, technical resources, combination of all of these. This debate alone deserves a specific post. For the sake of this article, I shall propose a simplified view. We will define Cloud Computing as a platform allowing to provide a service (aka: through an application, which is not necessarily SaaS), allowing it to dynamically adapt to the usage (in terms of resources, composition of services, platform evolution).
Many services are hosted on a cloud. Whether you’re using Gmail or Google docs, Twitter, Amazon’s AWS or Otherinbox, you’ll end up crawling in the cloud even if you’re not really aware of it. While several companies are outsourcing their infrastructure to public clouds, many questions get arised on the liability of these kind of applications. Is it safe to use them ? Is it safe to host anything on a cloud ?
For any enterprise, security is a primary stake she needs to deal with. Security comes at several levels:
- Infrastructure security (Network, Firewalls)
- Data security (access rights, encryption)
- Application security (access rights, logic, implementation flaws)
These top level areas will dig deeper holes when it comes to their implementation, especially if you’re looking forward an ISO 27002 (and possible SOX) compliance.
Any company that is designing/implementing an application should take a thorough testing process to ensure that there is no compromising possible. But, as we all know that zero-fault application are just fantasy of a lured mind, hence there’s always a level of exposure at some point of time.
Now is the Cloud more secure than another platform ? I would say that being on a cloud would only make a difference if your application is being used internally on a local LAN (or only accessible through a VPN), hence it is not exposed to the world.
So let us come back to the Twitter case. At no point of time, there had been a compromising of the Twitter application nor infrastructure security, nor was the case for Google Mail (Gmail). The hacker only used the “forgot your password” feature to guess the answer to the security question. That was basically the same as doing social engineering. The problem is rather at the user level. Making the answer too easily guessable by anyone.
Of course, the process of simply guessing the answer to a question, on a one word basis, is a huge flaw, but this is an application design issue. Whether you host it on a dedicated server at your favorite ISP, or you host it on your own datacenter and have it exposed to the world, won’t make any difference. The hacker would still be able to retrieve the password and from there gain access to other services.
Now, as we are all using application on clouds, a lot of data gets potentially exposed. But again the exposition is only bigger than the one for applications used internally. This is a prime reason why enterprises are still reluctant to host/use Business Apps (Financials, CRM, HR) on Clouds. They will want to have a full control on their platform, from network access to data storage.
Having this level of exposition, the security framework for applications must be reinforced in order to minimize any possibility of gaining non authorized access and compromise user data. This exposition, should also come with a proper training of the users with all the basic requirements for security usage (Password policies, Social engineering). Currently, there are no security standards that will ensure the safety of your data. Ideally, you would have to combine password authentication with some kind physical check, like a token generator (eg: RSA SecurIDs), which would be the only way to make sure the person getting logged is the rightful owner of this account. At subscription time, if you own a SecurID for example, you’d be able to provide your card info to allow you authenticating to the site using it.
So is the cloud a totally safe place for your children ? I would say no. But it is not any more dangerous than any other kind of hosting or application. All you have to do is trust your providers will do their best to ensure your safety.
