Site icon

Cloud Computing: Part 2

Internet information exchange and commerce has matured to the point that we cannot imagine how we would run our businesses without technology anymore. We have created elaborate systems and constructed solid disaster recovery and business continuity mechanisms to protect our digital assets. Until recently, these Internet facing systems have resided on dedicated computers that we were responsible for completely. Even if we enlisted the help of a hosting provider, we were still responsible for the stability, security, and availability of our dedicated environments.

Synopsis:

The effective weak link of cloud computing: An oversight by a single vendor creates a single point of failure that can have devastating effects on an untold number of its customers.

Analogy:

Imagine if you will, that your dedicated application is a private jet. It is everything you need it to be. You are completely responsible for its care, maintenance, security, and operational stability. It is a bit expensive to operate right? There are risks in flying. That fancy private jet could crash right? The important thing to remember, however, is that nearly all aspect of this environment is within your control.

Along comes this new economy concept known as “Cloud Computing.” It is like buying a ticket on a super economy jumbo jet. You want to get to your destination and the airline service provider sells you exactly the service you need. Now imagine for a moment, that you are this passenger aboard a jumbo jet flying comfortably high in the clouds. You have paid a reasonable market driven price to be one of the dozens of other passengers. You are a perfectly healthy person, up to date on your vaccinations, and health checkups performed by your personal physician. The problem arises when one of the other passengers is not being proactive or careful with their health. Suppose this passenger has contracted Swine Flu or SARS recently.

Every passenger on this super economy jumbo jet is now at risk of contracting a potentially devastating disease. The airline company does not screen passengers for infections do they? You certainly cannot legally screen other passengers can you?

What if this super economy jumbo jet crashes? Every single passenger aboard shares the same level of risk due to the inherent nature of this shared environment. How do you know you are not boarding a ride with a one way ticket to eternity?

I am certainly not opposed to “Cloud Computing” as a concept. I like it for the same reasons I like virtualization in the data center. It is a feel good “Green” technology that reduces our costs and demands on our resources. We reduce our footprint while increasing our stability. Just like I have special considerations about virtualization in my data center, I should have special considerations towards Cloud Computing. As a security practitioner, I have more concern for these shared environments that I do for segregated environments. “Means, Motive, and Opportunity” is the common catch phrase in law enforcement whose applicability has not been diminished by technology.

Commentary:

Cloud computing is Internet based development and use of computer technology. It is a style of computing in which dynamically scalable and frequently virtualized computing resources are provided as a service over the Internet. End users need not have knowledge of, expertise in, or control over the technology infrastructure “in the cloud” that supports them. The concept incorporates Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) and several other technology trends such as Web 2.0 which have the common theme of reliance on the Internet for satisfying the computing needs of the users. The vendor provides common business applications online, or company specific applications online that are accessed from a web browser, while the software and application data is stored on the vendor’s servers.

There are strong inherent risks when you rely on a single provider. It’s not that cloud computing is automatically a bad idea, since outages and security flaws happen in-house or with ASP relationships too. Should the vendor have just a single vulnerability in any Internet facing application they host, perhaps a web application flaw such as a simple and very common cross-site scripting error, a lapse in network security, or a physical security indiscretion, its clients and their customers all share the same risk. The enterprise is only as strong as its weakest link, and if someone else is managing that link for you, you have some questions to ask before conjoining your business to theirs.

Application vulnerabilities are the single most prevalent threat to information assets today. Attackers who are motivated by financial gains are finding ways to exploit vulnerabilities in legitimate Internet business applications, as well as consumer applications. Cloud Computing cannot be viewed as a panacea and due care must be taken to assess a provider’s safety and security. Vendors should be held to higher standards than traditional product providers.

Physical separation is vital to protecting information assets. By eliminating fundamental threats introduced by virtualized infrastructure, shared environments, or other virtualized environments such as cloud computing, you exponentially decrease risk. The simple approach to infrastructure reduces complex points of failure.

Conclusion:

The following practices will go a long way to eliminating many threats introduced by emerging virtualized or shared technologies.

Exit mobile version