Americas

  • United States

Asia

Oceania

roger_grimes
Columnist

We’re doomed to insecurity in the cloud and on thin clients

Analysis
May 17, 20116 mins
Cloud SecurityData and Information SecurityData Center

Every new technology brings the same old security vulnerabilities, along with new ones

Working in the IT security field, you spend every waking hour striving to improve protection and lower risk. Then another computing technology emerges — the Internet, wireless networking, mobile computing, social networking, and so on — and you have to learn every security lesson all over, as if something new and surprising has come along.

In the past few weeks, we’ve seen authentication token leaks from Facebook; a rise in mobile malware; major networks running without a firewall and with unpatched major software; and an array of security appliance vulnerabilities. Secunia, which doesn’t track every software product, is still publishing 250 to 350 vulnerabilities announcements per week. Some of the exploited technologies may be relatively new, but in terms of security, it’s really more of the same.

[ Master your security with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]

Now some people think cloud computing and thin clients will decrease security risks and usher in an age of fewer exploits. I’m not so hopeful.

Thin clients have the potential to be less exploitable, simply because they have fewer lines of code, which should in turn mean fewer bugs, fewer security vulnerabilities, and less attack surface. However, thin clients rely on browsers to do the heavy lifting — and browsers are the most exploitable pieces of software ever created.

Many readers might still think that Microsoft (my full-time employer) has the most vulnerable browser on the market in Internet Explorer. Surprise, surprise — every major vendor that has tried to make a significantly less vulnerable browser has failed. Chrome, Firefox, and Safari have vulnerabilities numbering in the hundreds — far more than Internet Explorer in the same time periods. It turns out making a truly secure browser is harder than it looks.

Further, the forthcoming thin client OSes use these same browsers to do most of the end-user work. How can we expect an entire OS platform to be more secure if the major single application they rely on has hundreds of bugs?

One good argument could be that these forthcoming client computers will have less functionality. They won’t allow users to save files (or even states) locally. If the end-user can’t save to their machines, it’s going to be a lot tougher for malware writers and hackers to manipulate those computers, right? Probably not.

First, just as users aren’t supposed to care where their data or profiles are located, malware writers won’t care either. Wherever you are allowed to write data, the bad guy will follow. It’s merely a change in locale, and as bank robbers break into banks because that’s where the money is, the same principle applies here.

Second, I’m already hearing hedges. For example, end-users are asking how they will be able to work on their data files when they aren’t connected to the Internet or the vendor cloud. The thin client vendors are replying that the users can work with a locally cached copy while offline. Get that? Users can’t save files to their computer, but their computer will save cached copies locally. What’s the difference between that computing model and the current PC model? Not much.

It gets worse. Users are going to object to binary security models with thin clients just as they do on PCs and the Internet. As different platforms become more popular, the vendors will be forced to offer more functionality and more granular security. All of that means these devices will likely become as insecure as the platforms they are replacing.

One of my favorite examples is Adobe Acrobat Reader. When all it did was display a document, it was fairly hard to hack. But it became popular and Adobe added features, such as the ability to automatically launch links and executable code from within a PDF document. That ended Reader’s free security ride. Today, the software is involved in a sizable percentage of end-user exploits. Adobe releases monthly patches closing dozens of newly discovered and exploited vulnerabilities every year.

I don’t blame Adobe. Stay static and your competitor will eat you for lunch. End-users don’t buy security; they buy features and coolness. If end-users truly cared about security, OpenBSD would rule the planet. It’s free and has a demonstrated 15-year history as the most secure (popular) operating system on the planet. It’s the OS of choice for hundreds of thousands of users, but in my two-decade career, I’ve personally met maybe a dozen people who run it.

Meanwhile, as the cloud gains popularity, some cloud vendors are thinking seriously about security. However, clouds are inherently riskier than traditional platforms, all other factors considered equal. First, all clouds rely heavily on virtualization, but virtualization platforms carry every security risk known to physical computers, as well as guest-to-guest and guest-host risks.

On top of that, clouds have unique risks that aren’t found elsewhere, including multitenancy (multiple customers sharing the same database), broad authentication and authorization schemes (not just your private directory service), and lack of location specificity. With the last issue, how can you protect your data when even the vendor probably doesn’t know where it is specifically?

This is not to say that clouds can’t be more secure than traditional networks. Most traditional networks I’ve assessed could only be improved by moving some of their data into the vendor’s tremendously more secure data center. But I don’t think clouds or thin clients will significantly change the amount of vulnerabilities we face each day.

I used to think Internet crime would one day cause a catastrophic tipping point event, where the Internet, as a whole, went down for a day or so. I figured that the tipping point event, similar to the 9/11 attacks, would wake up the world to the Internet insecurities, and we’d eventually fix them.

What I didn’t expect is that we’d live with thefts of our money and identity, as bad as it is, as a normal part of life. I especially didn’t think that as each new paradigm comes out — social networking, smartphones, thin clients, cloud computing, and so on — we’d relive the same problems over and over. You’d think that along the way we’d heed the lessons learned and be proactive in preventing the on the new platforms. But we’re not there yet.

This story, “We’re doomed to insecurity in the cloud and on thin clients,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

roger_grimes
Columnist

Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author