Skilling up the cloud: What it means for infosecurity pros


Cloud Security = Oxymoron

Clouds as implemented by today's technology and could hosting providers are not secure-able unless you physically own all the hardware and networks involved which defeats the cost savings of leveraged cloud hosting. (aka a private cloud which is basically outsourced virtual server clusters)

Don't believe me ask your provider to demonstrate how they can trace an intrusion or network connection thought the leveraged cloud, which servers where compromised when, which routers, switches, etc. Most of the major hosting providers simply cannot provide the basic incident information you need to do a proper investigation or documentation required in most courts. It's hard enough to do this effectively with physical systems in a court of law, let alone trying to explain the layers of abstraction involved with the virtual machines in a cloud.

Log management/reviews how do you merge all those server logs into one unified manageable source, well that's more hardware and software = more $$$. How do you monitor your network traffic to detect anomalies? You can't. Why? Well because you might have visibility into other client's packets. Or worse, it they let you then that means someone has access to yours!

More important questions to ask are where exactly is my data located in the cloud and how many others share that same storage? Are the backups of that storage segregated or are they mixed together? Why you ask? Well all it takes is one warrant for all data, tapes and servers for company XYZ which live on the same infrastructure as yours to ruin your whole company. If they are mixed (and most are, again for cost savings) not only did you loose your servers (easy to replace) and the SANS (little harder to replace, and will take a while) but your backups as well! Possession is 9/10 of the law in the US the hosting provider owns the servers, the storage, and the backups in many courts they own your data unless a clear agreement is in place. Even so that agreement will not save you from a shutdown in the scenario above.

Worse if you are a smaller customer you may have to wait longer while the high priority customers get online first. Hope you have up to date Disaster recovery and Business continuity plans in place.... or at least an updated CV on hand you may need it.

Finally if the hosting provider is replicating the data in multiple countries you also can get in trouble especially with things like Personally Identifiable information, things that are commonplace in the US for example may be against the law in the UK.

Not secure and in many cases more trouble than they are worth! IMHO the cost to implement a secure cloud environment with today's technology will generally cost more than traditional server farms for most implementations. Fine for blogs and public information but I would resist the hype about putting proprietary, sensitive, or business critical data on them. If you do good luck come audit time! :)


Back to the forum