Google FAIL and the Fog Over Cloud Security

Recent Google failures have renewed debate over whether it's foolish to trust the computing cloud. But the biggest threat remains our lack of understanding.

Late last year, when I interviewed Google Apps senior security manager Eran Feigenbaum and his marketing partner, Adam Swidler, they talked up Google's place in cloud computing and how it was in a prime position to make a difference with cloud security. [Four Questions On Google App Security]

But when Google suffers a massive outage as it did last week -- followed by another one yesterday -- people can't help but have their doubts.

Google content accounts for about 5 percent of all Internet traffic, so when it went down, many who have come to rely on its myriad applications to conduct business were dead in the water.

Meanwhile, attackers have been adding insult to injury by flooding Google search results with a fire hose full of malicious links, prompting the U.S. Computer Emergence Response Team (US CERT) to raise the red flag [Attack That Poisons Google Results Worsens].

These are troubling events that illustrate just how perilous the cloud can be. But don't believe those who suggest this is a new threat. It merely validates the security concerns smart people have been raising for a very long time.

One of the people I trust on this issue is Chris Hoff, whose recent cloud security talk at SOURCE Boston attracted a crowd that included security luminaries like Dan Geer [CSO podcast interview with Geer] and Marcus Ranum.

Hoff has warned repeatedly that companies are moving too fast on cloud computing without truly understanding what it's about first. ["This love affair with abusing the amorphous thing called 'THE Cloud' is rapidly approaching meteoric levels of asininity," he told me in one interview.]

Another voice I trust on the issue is Ariel Silverstone, a veteran of the Israeli Defense Forces with experience in physical and information security who regularly contributes to information technology certification exams and to newspapers, magazines and online publications like CSOonline.

In his latest CSO column [Cloud Security: Danger (and Opportunity) Ahead] Silverstone noted that the breathtaking pace of cloud computing adoption demands that the technology evolve with stronger security woven into the architecture.

"We approach quickly the point in which the amount of data and of processing in the cloud will be not only unmanageable but also pose a security and related privacy risk to the users of the data, and to people who the data concerns," he wrote.

This is like every other piece of technology that has come before and is still yet to come. We need to raise awareness as to what the technology is all about, how it ticks, and how the bad guys have learned to exploit it to steal our data. Companies continue to rush into new technological deployments with little consideration of the security needs. The fact that so many people [including me] have come to depend on Google Apps to get work done speaks volumes.

We need to listen to people like Hoff, Silverstone and many others when they try to get us to slow down and examine how the pieces fit together before we start pressing all the shiny buttons.

That doesn't mean we run away from the technology, and the experts I've mentioned above do not suggest we do so, either.

Cloud computing is here to stay and the business world is going to grow even more dependent on it. Google has vastly altered the way we do our daily computing and the digital miscreants of the world will always set their sites on the biggest targets.

Instead of getting spooked by what happened with Google this month, let's see what we can learn from the experience to make cloud computing more secure.

About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD - overhyped security threats that ultimately have little impact on a CSO's daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry's most egregious FUD, send an e-mail to bbrenner@cxo.com.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies