Americas

  • United States

Asia

Oceania

roger_grimes
Columnist

Cloud security: We’re asking the wrong questions

Analysis
Sep 10, 20146 mins
Cloud ComputingData and Information SecurityHacking

The outcry over celebrity nudes blames a new scapegoat -- the cloud -- for our security woes, but underlying causes run deeper

Cloud computing security lock.
Credit: Thinkstock

In the wake of the celebrity photo breach, the media is humming with stories disparaging the safety of the cloud. Many longtime cloud critics are crowing, “I told you so!” and waiting for the world to go back to on-premises solutions only.

News flash: 1) the cloud was never touted as being perfectly secure and 2) the cloud will continue to grow and grow. The number of servers in your physical environment will shrink over time. Security doesn’t sell solutions — features and pricing do. Features are cheaper in the cloud.

[ Also on InfoWorld: Nude photos, phone records, NSA data offer essential lessons for admins. | Celebrities get phished, but the cloud gets blamed | Watch out for 11 signs you’ve been hacked — and learn how to fight back. | Keep up on the latest threats and solutions for your systems with InfoWorld’s Security Central newsletter. ]

The cloud vs. you

Let’s address the central question: Is the cloud more or less secure than your on-premises solution?

To get an accurate answer to that question, you’d have to compare your on-premise solution (the entirety of it, including all your relationships) to the security offered by a particular cloud vendor. That’s hard to do in real life for a few reasons, led by the fact that most companies don’t know the security reality of their on-premise solutions — and followed by the fact that most cloud vendors won’t let you do onsite, direct security auditing of their systems. It’s a guessing game.

But in general, in my experience, the biggest cloud vendor services have pretty good security. That is, they have fairly strong physical security, patch their servers, use strict firewall controls, use 2FA authentication for admin access, have hardened configurations and good backups, and largely do computer security better than most of the on-premise solutions I’ve seen.

To tell the truth, in most cases it isn’t even close. For example, with a typical on-premises solution, I have a hard time finding a fully patched server or a directory without dozens of godlike admins — both terrible security practices.

Special vulnerabilities

Clouds, of course, have unique challenges. They have every security issue, plus more, mainly because cloud providers have to worry about multitenancy, where the compromise of (or by) one customer can lead to the compromise of another.

Services and apps offered by cloud providers are typically come one, come all. Malicious hackers create accounts and start scouring for vulnerabilities. If they get lucky and find a major one, many accounts may be in jeopardy. You can argue, however, that the biggest problems are the unknowns: Clouds are still in their infancy and we’re still learning about cloud-specific security issues.

All that said, I find it hard to impugn the overall security of clouds when almost every company can be broken into easily. Let me rephrase that: Most companies are currently, actively compromised.

I’ve never met a penetration-testing team that didn’t easily break into its target within a couple of days. If penetration-testing teams are being paid to break in only once every year or two, why wouldn’t the bad guys, who are trying every day, be more successful?

I’m frequently contacted by readers who’ve not only find out they’ve been hit by an advanced persistent threat (APT), but ultimately discover that the APT has had access for years — sometimes for nearly a decade. Often, they discover that other APT exploits also made themselves at home long ago. This isn’t the exception, it’s the rule … if you’re looking.

The original cloud: Credit data

Vast reservoirs of critical data have existed far outside your control for decades, long before the “cloud” nomenclature was invented.

Take credit card information. It goes without saying that you shouldn’t worry about your credit card being stolen from the latest vendor — like Home Depot — because your credit card company (or other service provider with your financial information) is likely owned by multiple APT groups as well. Your credit card is probably already compromised.

What’s stopping the bad guys from using your credit card/debit card if they already have it? For one, they have so many credit cards it’s hard to use them all at once. That’s why your stolen credit card gets replaced by the bank every two or three years rather than every year.

The groups that steal or buy credit cards aggregate them in large databases, then offer them for sale to other people. Your credit card is likely on multiple criminals’ credit card selling lists, for offer to anyone willing to pay the fee (usually ranging from $2.50 to $50, depending on the likelihood of it netting revenue for the buyer). The credit card selling operations have auction boards, satisfaction ratings, shopping carts, customer support services, and money-back guarantees.

If you want to read about the complexities — and openness — of these criminal enterprises, peruse a few articles on Brian Krebs’ website. It’s stunning to behold the maturity and sophistication of these operations. Some even buy credit card information directly from the credit card rating agencies! This stuff is organized. It’s not merely one bad seed with a direct link to one credit card rating agency.

State of insecurity

The state of computer security basically defaults to insecurity. I don’t say this to scare anyone. It’s been this way for a long, long time. For now, society accepts this state of insecurity as an inconvenience — a cost of doing business.

I can guarantee you, however, that it’s going to get worse. I’ve been asked the same question for 20 years: “Is computer security going to get better this year?” I’ve always replied no, and I’ve always been right. Sure, we are finally catching many of the big players, but for everyone we catch, more move in. It’s a big game of Whack-a-Mole.

Yes, the cloud introduces new vulnerabilities, but that’s balanced by better security practices on the part of cloud providers than most customers can muster on their own. The cloud isn’t the problem. Next week, I’ll talk about the real reasons behind the miserable state of security.

This story, “Cloud security: We’re asking the wrong questions,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

roger_grimes
Columnist

Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author