I clearly remember being a kid and scared there was a monster in my closet. I was pretty young, and all it took was my Mom wrapping a can of Right Guard in a “Monster Spray” label to allay my fears. My kids tend to get scared by stuff they can’t see as well, and movies like Monsters, Inc. haven’t done much to dispel the fear in today’s generation. When I went to sleepover camp, there were the stories of Cropsey to terrorize new campers, and the chain goes on and on. We continue to be scared by the stuff we don’t understand.
It looks like the cloud falls into the same boat, as shown by the latest survey by Kelton Research sponsored by Avanade. No, I hadn’t heard of either of these shops either. But all the same, 25% say they’ve had a security breach with a cloud service and 20% are moving back to traditional on-premise apps. There, my friends, is the bogeyman, in full effect.
Since we built the CCSK curriculum, your friends at Securosis have become immersed in many things relating to securing cloud infrastructure. In fact, Rich and Adrian will be teaching the course this week in San Jose to a packed house. We are also training the first set of instructors for the course, so expect to see it offered near you very soon. Which is a great thing, given our collective fear of the unknown.
So here is the dark little secret of cloud security. It’s different, but not that different from securing your traditional environment. The reality is that most folks suck at security, and moving applications & infrastructure to the cloud is not going miraculously make them any better at it. If you are good at security on-premise, you’ll likely be pretty good when you move stuff to the cloud. That doesn’t mean you will automagically understand how all the pieces fit together, but the fundamentals are largely the same. There really are additional moving pieces, of course, and depending on where in the SPI stack you stake your cloud tent, you’ll need to think about more heavily instrumenting your applications for security and logging/monitoring. Identity changes a bit as well. And never forget that the entire environment (especially private cloud) remains immature and overly complicated.
But since FUD (especially the Fear) is such a powerful motivator for buying security widgets you may or may not need, we’ll see lots of questions about how secure the cloud is. We’ll see plenty of Chicken Little behavior to convince you the cloud is not safe – unless you use this cloud security widget, of course.
But – just as I tell my kids– if you are scared of something you need to understand it. It very well may warrant fear or terror. But until you understand what you are talking about your fear is not justified. So get educated on cloud stuff. Go take the course. Ask questions, focus on educating yourself and your organization, and then figure out how and how much cloud computing makes sense for you. Just don’t give into the fear of the unknown that will plague this technology for the next few years.
It’s not that scary. Promise.
Photo credit: “bogeymen everywhere 1” originally uploaded by Voyager10
Reader interactions
2 Replies to “Security: the Cloud Bogeyman”
I think your monster spray example can be amusingly extended to continue the analogy with cloud and security. 🙂 Maybe that’s all you get to know about how the cloud provider applies security!
Sorry, queue the broken record below… 🙁
I clicked that “SPI stack” link and I feel this throbbing in the back base of my head. SaaS is a hosted website. PaaS is just a ESX server with multiple guest VMs (hey I have those!). IaaS is just a colo. I.e. all things that have been offered for years, even decades at this point…
…and these hosting providers are notoriously cheap when it comes to support, visibility/transparency, and security.
I think that’s a good part of the disdain. (A good part comes also from the bastardization of the term “cloud…”)
All of this, even “simple” virtualization offered as cloud is complex, hard to understand for current technologists, and puts up a curtain so you can’t see the back details. (“Why is my server slow?” “Well, another customer had a runaway process due to increased demand which slowed operations for many of our customers.” “Wait, didn’t you sell me dedicated isolation?” “…” “What the hell else am I sharing?” “…”)
The exact curtains we’ve been pulling open for the past 5 years with the increasing roles of compliance and audit. (“Sure we separate CC data from test databases, we meet that requirement.” “You realize they’re on the same database server right? I just did a quick visual audit rather than believe what you said.” “But they’re separate databases! I mean…oh, I didn’t read the reqs that way…[more stalling].”)
It’s almost like we (orgs) hate spending money so much, we’ll move ops into places where we don’t have to spend that security money any more, by essentially putting heads in the sand and blaming someone else. Security doesn’t get better, we just essentially move our toys from littering the floor to being hidden under the bed, than brush our hands off thinking we did a gud job. (“We’ve moved our ServiceX to the cloud.” “Wait, how do we know it is secure?” “We have this marketing slick. Besides, it’s a cheaper line item on our budget.” “Wait, what abou..” “Moving on let’s talk about tablets for sales…”)
Ultimately, you’re right; cloud (as the definition has slipped to these days) essentially really isn’t different from having your ops in-house/on-prem. Hopefully by centralizing it, you’re also centralizing the expert-level knowledge of these systems. But experience tells me without transparency, complacancy is inevitable. (“You said you did your homework! But I actually checked and you only did the first 3!” “Oops, well, you haven’t checked in weeks…”)
One of the immediate benefits of cloud? You don’t get these stupid creeping requirements where some contractor from Icelandia spends 6 months developing a system that requires widget A, program B, and XYZ plugins, plus these 14 firewall holes, and then gets them approved because, “we need it, and you *can* technically do it,” despite how it drags ops and security down into darker realms of complexity. Instead, you hopefully get a flat, “No,” from the provider along with a reminder that you’re not the admin of the systems/network anymore.
Trend Micro just released (June 6) results of a global survey we did asking about cloud concerns and issues. Of the 1200 respondats, 43% had had security issues with their cloud service providers
Here is a link to the press release. Mike – Let me know if you want the deck with more details.
http://trendmicro.mediaroom.com/index.php?s=43&year=0&type=current&news_item=886