Internet information exchange and commerce has matured to the point that we cannot imagine how we would run our businesses without technology anymore. We have created elaborate systems and constructed solid disaster recovery and business continuity mechanisms to protect our digital assets. Until recently, these Internet facing systems have resided on dedicated computers that we were responsible for completely. Even if we enlisted the help of a hosting provider, we were still responsible for the stability, security, and availability of our dedicated environments.
Synopsis:
The effective weak link of cloud computing: An oversight by a single vendor creates a single point of failure that can have devastating effects on an untold number of its customers.
Analogy:
Imagine if you will, that your dedicated application is a private jet. It is everything you need it to be. You are completely responsible for its care, maintenance, security, and operational stability. It is a bit expensive to operate right? There are risks in flying. That fancy private jet could crash right? The important thing to remember, however, is that nearly all aspect of this environment is within your control.
Along comes this new economy concept known as “Cloud Computing.” It is like buying a ticket on a super economy jumbo jet. You want to get to your destination and the airline service provider sells you exactly the service you need. Now imagine for a moment, that you are this passenger aboard a jumbo jet flying comfortably high in the clouds. You have paid a reasonable market driven price to be one of the dozens of other passengers. You are a perfectly healthy person, up to date on your vaccinations, and health checkups performed by your personal physician. The problem arises when one of the other passengers is not being proactive or careful with their health. Suppose this passenger has contracted Swine Flu or SARS recently.
Every passenger on this super economy jumbo jet is now at risk of contracting a potentially devastating disease. The airline company does not screen passengers for infections do they? You certainly cannot legally screen other passengers can you?
What if this super economy jumbo jet crashes? Every single passenger aboard shares the same level of risk due to the inherent nature of this shared environment. How do you know you are not boarding a ride with a one way ticket to eternity?
I am certainly not opposed to “Cloud Computing” as a concept. I like it for the same reasons I like virtualization in the data center. It is a feel good “Green” technology that reduces our costs and demands on our resources. We reduce our footprint while increasing our stability. Just like I have special considerations about virtualization in my data center, I should have special considerations towards Cloud Computing. As a security practitioner, I have more concern for these shared environments that I do for segregated environments. “Means, Motive, and Opportunity” is the common catch phrase in law enforcement whose applicability has not been diminished by technology.
Commentary:
Cloud computing is Internet based development and use of computer technology. It is a style of computing in which dynamically scalable and frequently virtualized computing resources are provided as a service over the Internet. End users need not have knowledge of, expertise in, or control over the technology infrastructure “in the cloud” that supports them. The concept incorporates Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) and several other technology trends such as Web 2.0 which have the common theme of reliance on the Internet for satisfying the computing needs of the users. The vendor provides common business applications online, or company specific applications online that are accessed from a web browser, while the software and application data is stored on the vendor’s servers.
There are strong inherent risks when you rely on a single provider. It’s not that cloud computing is automatically a bad idea, since outages and security flaws happen in-house or with ASP relationships too. Should the vendor have just a single vulnerability in any Internet facing application they host, perhaps a web application flaw such as a simple and very common cross-site scripting error, a lapse in network security, or a physical security indiscretion, its clients and their customers all share the same risk. The enterprise is only as strong as its weakest link, and if someone else is managing that link for you, you have some questions to ask before conjoining your business to theirs.
Application vulnerabilities are the single most prevalent threat to information assets today. Attackers who are motivated by financial gains are finding ways to exploit vulnerabilities in legitimate Internet business applications, as well as consumer applications. Cloud Computing cannot be viewed as a panacea and due care must be taken to assess a provider’s safety and security. Vendors should be held to higher standards than traditional product providers.
Physical separation is vital to protecting information assets. By eliminating fundamental threats introduced by virtualized infrastructure, shared environments, or other virtualized environments such as cloud computing, you exponentially decrease risk. The simple approach to infrastructure reduces complex points of failure.
Conclusion:
The following practices will go a long way to eliminating many threats introduced by emerging virtualized or shared technologies.
- A stronger demand for the regular local environmental assessments of service providers to assure that security and safety measures meet or exceed our expectations. I would strongly recommend we do not rely heavily on third party assessments such as SAS70 given the level of security expertise the common auditor possesses.
- A more vigilant vulnerability and penetration assessment schedule is performed on a near perpetual basis to assure that our applications are secure. It will be most certainly impossible to perform these tests on the other companies being hosted by the SaaS vendor. This does pose the biggest threat to our environment hands down. The additional requirement written into your contract that requires the service provider to perform holistic vulnerability assessments and provide methodology and resulting reports to their customers. This practice will force other customers to patch applications and the vendor to do the same correcting security problems proactively before they become catastrophes.
- Physical separation is vital to protecting information assets. Eliminating fundamental threats introduced by shared environments and virtualized infrastructure positively eliminates all threats that simple segregation has always provided.
- Data encryption must be mandatory to help protect our company information assets and customer sensitive data in the event that a breach occurs. That breach may come through another customer’s web application, but the collateral damage might become us. Data should always be provided on a “Need to Know” basic, which means that applications should be coded to display only relevant information and obfuscate information that should be protected from everyone.
- An increased need for disaster recovery should the Cloud (SaaS) vendor experience a compromise with our services or any other customers.
- Redefine those Service Level Agreements (SLA). Traditionally when problems occur in the data center, technical staff support members locate the problem source. With Cloud computing, connections and transactions occur on the service provider’s network, making it difficult to monitor and troubleshoot the environment. A more collaborative agreement may be advisable. The very minimum standards would hold the service providers more accountable.