The dramatic change in the rate of adoption and the amount of discussion taking place regarding cloud computing demands that this technology, or rather a set of related technologies, continue to evolve utilizing a security-sensitive design.
We approach quickly the point in which the amount of data and of processing in the cloud will be not only unmanageable but also pose a security and related privacy risk to the users of the data, and to people who the data concerns. [Cisco CEO: Cloud Computing a 'Security Nightmare']
In this series of articles, I do not intend to solve the problem of security in the cloud. My intent is to define the problem and propose several salient ways to address it. As always, comments are welcome. [Related: Cloud Computing: Making the Right Choices]
While the term "cloud computing" may be new, the idea certainly is not. Just look at the greatly varying definitions I found while researching this article. These include all of the following technologies:
- 1. The grid
- 2. VMWare and Xen-type virtual machines
- 3. IBM-type mainframes
- 4. Amazon-type flexible storage
- 5. Intel VTX-type hypervisors
- 6. Page files
- And many, many others
Instead of focusing on a specific technology, I propose we define the salient characteristics of cloud computing. For the purposes of this article series, I will define cloud computing as the technology having the characteristics of:
"Service-based data processing and storage capability which is flexible, extensible and virtual"
Some may add the following:
"and available via the Internet"
I will treat the second part of the definition as optional, for the purpose of discussing security. I find that the connectivity method here is secondary to the basic tenets of security, and thus am able to include locally virtualized machines in the discussion.
Generally, the purpose of cloud computing is to avoid the expense involved in building or acquiring the infrastructure. Similarly, when deploying virtual machines, one does not buy multiple servers or separate processors. I find the computing slice concept -- which includes storage, processing power, etc. -- to be a compelling one. In the near future, I predict that we will not even CARE whether the computing slice resides locally or across the world. As long as the computing service is provided in a timely and efficient manner, we will be satisfied.
When dealing with cloud-based delivery, the problem with security grows. Instead of having direct control over our concept of "defense in depth," we now have marginal control at best. Many times, such as with Amazon's EC2 service we have virtually no control, no pun intended. We sometimes do not have even the basic notification of something about to go wrong or something that has.
Both for Amazon's service and for our basic hypervisors, we no longer control ingress to the machine processing space. In the case of Amazon, it is Amazon's routers (and presumably firewalls). In the case of our virtual machine managers, we relegated the inter-memory systems and processes to the handling of a "black box," one that we seldom, if ever, have any control over. These are security problems and I also believe that these are legal problems. Allow me to explain.
What happens if and when data that we store or process on a virtualized machine gets compromised? Will we know? If WE do not know, how will we notify our constituents, especially when data breach notification laws are in place? How will we know to improve our security?
These are not idle words. If you look at the Amazon contract (and this is an example only, I do not wish to "pick on" Amazon, which I appreciate and respect), you will see the following sentences:
"4.3: We are not responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of, Your Content (as defined in Section 10.2), your Applications, or other data which you submit or use in connection with your account or the Services."
"7.2: We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications."
What you do not see is that the provider accepts any responsibility or duty to inform the data owner, you, of any breach, notify you of any attempt, nor responds to any incident. The agreements are worded such that the customers' of Cloud computing bear all responsibility for such risks. It therefore appears that any law requiring breach notification, and any regulation or requirement, such as PCI, cannot be complied with.
Since the concern above is present, and understanding the incredible potential of cloud computing to improve the performance of IT foundation and infrastructure, we must find a solution, or a set of solutions, to standardize and address security concerns communicating to the cloud, within the cloud, and to data elements which reside therein.
In the next article, I will discuss the requirements for such solutions, and will include the excellent proposals brought forth from the Jericho Group and from the Cloud Security Alliance. I will also issue a "call to action" for these and other organizations to address the issue of cloud security before the technology become either unmanageable or, conversely, be seen as too risk-laden for corporations to use.
Ariel Silverstone is a veteran of the Israeli Defense Forces with experience in physical and information security and regularly contributes to information technology certification exams and to newspapers, magazines and electronic publications while working on a Radio show. He holds both the CISSP (for security) and the CBCP (for business continuity planning) certifications, as well as many others. During his IT and management consulting career, he focused on providing IT strategy, engineering, and assimilation solutions for a portfolio of primarily Fortune 500 clients, including USAA, Chase Manhattan, Citibank, GTE, General Motors, Ford Motor Company, Vanguard Funds and others. He specializes in companies in the financial services, transportation, medical services and high-tech industries. He has also been a director at Symantec Corp. and CISO for Temple University and for Bell Canada's Teleglobe.