Americas

  • United States

Asia

Oceania

roger_grimes
Columnist

Cloud computing is more secure than you think

Analysis
May 04, 20107 mins
Cloud ComputingData and Information Security

With frequent backups and stringent security policies, cloud vendors often run much tighter ships than other organizations

Recent security problems with Google’s cloud offerings have sparked a flood of questions about whether or not cloud services are ready for prime time. Are they sophisticated enough to handle the world’s mission-critical applications reliably and securely? In my view, the answer is a resounding yes. Choosing one or more cloud service could, in fact, reduce expense and security risks for the average company.

That view may come as a surprise in light of the dozens of stories that emerge each week summarizing various cloud failures. Those failures aren’t the norm, though; it’s just that the media makes more money when it reports bad news instead of good. How many articles have you read about cloud vendors with 99.999 percent uptime and availability? How many news alerts have you seen this year discussing the cloud products and services that experienced no significant security issues? Not many, I suspect.

[ Get the no-nonsense explanations and advice you need to take real advantage of cloud computing in InfoWorld editors’ 21-page Cloud Computing Deep Dive PDF special report. | Stay up on the cloud with InfoWorld’s Cloud Computing Report newsletter. ]

Over the last 10 years of my career, I’ve performed hundreds of security reviews at an array of organizations. In general, the average company has dozens of security gaps, many of them of the highest risk. It’s never a surprise to the companies that have hired me. Heck, the participating staff usually knows of far more problems, but there’s little incentive for them to volunteer information. It’s common to find huge policy gaps, unpatched software on mission critical servers, bug-filled applications, spotty data restoration, and a myriad of maliciousness.

Most of the cloud providers I review, however, fall at the other end of the spectrum: They have highly focused and fairly locked-down environments. Instead of the 40- to 90-page report I typically deliver, my reports to cloud companies tend to be 5 to 20 pages long, citing only a few problems. The bigger the cloud vendor, the fewer problems I find on average.

The biggest cloud vendors are in huge, globally distributed data centers with very narrowly task-focused employees. In order to serve a wide range of clients and provide the best service, cloud vendors must have their policies and processes down. Physical security is as tight as can be. Everything is actively monitored and keyed to actionable alerts. If an action can be automated, it is. The fault-tolerant features are redundant-redundant, as if two of everything isn’t enough.

Most noncloud companies I know do nightly backups — or perhaps transaction-based backups on a few mission-critical applications. But should an email or Web server go down, the best data available is from the night before. Cloud vendors generally back up every transaction of every app immediately. The major players back up every bit of data instantly and spread it across two or more globally distributed backup arrays.

The typical power backup sources at these companies would make most network administrators drool. Many cloud vendors have dual instances of every supporting system: electricity, environmental controls, network connections, and so on.

I don’t mean to say that every cloud vendor is perfect and cloud products don’t have data loss or downtime. It’s far from the truth, and I’ve found a few cloud vendors that would be ranked the worst in every category. Some of the vendors I’ve reviewed run a technological deck of cards, waiting for one weak link to bring down the whole house. But the typical cloud vendor has its security and availability issues better resolved than the average noncloud company.

One of the biggest advantages of running a cloud is that a single fix affects all customers simultaneously. For example, in most of today’s enterprises, patching critical security holes can take days to weeks, from the time the patches are released to the moment systems are updated. A cloud vendor can patch once and protect all its customers.

Even enabling better security is easier in the cloud space. Google, for example, recently enabled requiring HTTPS for its Gmail service.  HTTPS is normally required for only secure logons and sensitive information. In terms of performance, it’s very costly to turn on for all transactions. An HTTPS-versus-HTTP transaction can run 200 to 300 percent slower. That sort of decision in a normal corporation could take months of review and another few months to pull off, if it’s ever accomplished. Google made the security decision and, in a flash, increased the security protection to their millions of customers.

The trade-off, of course, is that Gmail users who didn’t want this feature couldn’t do anything about it. Once again, the majority of cloud decisions are more about features (and hence, control) than about security.

The real question is, How secure will all cloud services be as the entire world turns to them? It will probably be life as usual. We’ll have vendors who do a better job at security and others who don’t, just as with today’s decentralized software world. Attackers will migrate from attacking your desktop to attacking the cloud. They always follow the end-users and data.

Some people, myself included, are worried about the repercussions of a huge, shared cloud. Won’t one vulnerability in the cloud automatically put all clients at risk? Sure, but that’s not a lot different than today. For example, the Robert Morris worm essentially took down the Internet in 1988, and the 2003 Slammer worm exploited the majority of vulnerable hosts on the Internet in less than 10 minutes. The Slammer worm went off around 1 a.m. ET; by the time most of the United States woke up, the problem had made the rounds.

Most of the computer security problems we’ll face in the future will have much in common with today’s threats, but it’ll take a new amount of effort to contain the problem and apply the fix. For a cloud vendor with 24/7 staff, if proactively alerted, responding technicians should be able to minimize the damage, fix the problem, and have the system back online, likely quicker than before. I mean, who is more familiar with the systems and apps than the experts running the system, especially if it’s their only system and their only responsibility?

This is not to say that cloud vendors don’t have data loss or downtime — they do and they will. But the remaining nascent issues will quickly be resolved as the cloud grows and matures. It reminds me of InfoWorld former writer and industry legend, Dr. Robert Metcalfe, who famously worried whether the Internet could be resilient enough to handle mission-critical business traffic without a major collapse. As one of the key inventors of networking as we know it today, Dr. Metcalfe was right to sound the alarm. I’m sure he’s just as happy to see the Internet mature enough to become synonymous with business commerce.

I’m here to say that the security problems of the cloud have been drastically overblown in the media, especially when compared to the typical company.  I say, “Come in. The water’s fine!”

This story, “Cloud computing is more secure than you think,” was originally published at InfoWorld.com. Follow the latest developments in security and cloud computing and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com.

roger_grimes
Columnist

Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author