Google FAIL and the Fog Over Cloud Security
Recent Google failures have renewed debate over whether it's foolish to trust the computing cloud. But the biggest threat remains our lack of understanding.
By Bill Brenner , Senior Editor
May 19, 2009 — CSO —
Late last year, when I interviewed Google Apps senior security manager Eran Feigenbaum and his marketing partner, Adam Swidler, they talked up Google's place in cloud computing and how it was in a prime position to make a difference with cloud security. [Four Questions On Google App Security]
But when Google suffers a massive outage as it did last week -- followed by another one yesterday -- people can't help but have their doubts.
Google content accounts for about 5 percent of all Internet traffic, so when it went down, many who have come to rely on its myriad applications to conduct business were dead in the water.
Meanwhile, attackers have been adding insult to injury by flooding Google search results with a fire hose full of malicious links, prompting the U.S. Computer Emergence Response Team (US CERT) to raise the red flag [Attack That Poisons Google Results Worsens].
These are troubling events that illustrate just how perilous the cloud can be. But don't believe those who suggest this is a new threat. It merely validates the security concerns smart people have been raising for a very long time.
One of the people I trust on this issue is Chris Hoff, whose recent cloud security talk at SOURCE Boston attracted a crowd that included security luminaries like Dan Geer [CSO podcast interview with Geer] and Marcus Ranum.
Hoff has warned repeatedly that companies are moving too fast on cloud computing without truly understanding what it's about first. ["This love affair with abusing the amorphous thing called 'THE Cloud' is rapidly approaching meteoric levels of asininity," he told me in one interview.]
Another voice I trust on the issue is Ariel Silverstone, a veteran of the Israeli Defense Forces with experience in physical and information security who regularly contributes to information technology certification exams and to newspapers, magazines and online publications like CSOonline.
In his latest CSO column [Cloud Security: Danger (and Opportunity) Ahead] Silverstone noted that the breathtaking pace of cloud computing adoption demands that the technology evolve with stronger security woven into the architecture.
"We approach quickly the point in which the amount of data and of processing in the cloud will be not only unmanageable but also pose a security and related privacy risk to the users of the data, and to people who the data concerns," he wrote.
This is like every other piece of technology that has come before and is still yet to come. We need to raise awareness as to what the technology is all about, how it ticks, and how the bad guys have learned to exploit it to steal our data. Companies continue to rush into new technological deployments with little consideration of the security needs. The fact that so many people [including me] have come to depend on Google Apps to get work done speaks volumes.