Part 2: Issues that need to be fixed to make the cloud less risky.
In part one, the cloud of the future was dissected. This part examines concerns and possible impediments.
No one doubts the cloud will be an important part of the Internet of Everything, but the transition from local to off-site computing will never be completely seamless or risk-free.
To begin with, there is the cost of storage and bandwidth. Running applications using on-site hardware with power delivered over a wire always will be faster and cheaper than remote access. That’s especially true if the application is complex and requires a lot of I/O. In fact, one of the more difficult tradeoffs that mobile device makers are wrestling with today is whether to do computing locally or remotely, comparing the battery drain and performance for intensive I/O versus localized computing.
That’s compounded by the issue of who controls access. Cloud computing means all of your faith for continued, unfettered access is put in the hands of strangers. One can imagine what it might cost to reach 99.999% reliability and accessibility for critical services. In less-demanding circumstances, expect the cloud provider to find ways to charge for every service, as well as bandwidth.
Another issue involves reliability. Crashes are a way of life in computing. Prudent on-site networks always have a backup for just such occasions. But a public cloud infrastructure involves so many more interactions than the potential for disruption is huge, even with high redundancy and backup systems. And the problems are magnified as they get closer to the top. For example, if there is a problem at Amazon, which provides cloud storage services for entities such as Netflix and Pinterest, it can affect all of its customers. In 2014, system outages occurred at Adobe, Gmail, Microsoft, Dropbox, Basecamp, iCloud, Evernote, and others.
There are other concerns, as well. With intellectual property, for example, who owns the data you sent into the cloud? This has prompted some controversy over terms of service from cloud companies such as Facebook and Instagram over photos stored on those sites. There also is a gray area involving uploaded data and data created in the cloud. Ownership is a factor still being worked out. And long the same lines, there are other questions about copyrights and legal usage. It could take years before a sufficient body of case law is established.
But the biggest concern of all is security of data stored in the cloud. At an RSA conference last year, John Pescatore, director of research at the SANS Institute observed, “There is no debate about whether we are going to use the cloud.”
That means that any concerns about security have to be resolved.
In a recent Intermap survey of 250 decision makers at large and midsize companies, 40% indicated they are “cloud-wary,” noting security was the No. 1 reason they would not adopt. On top of that, 15% of “cloud-wise” respondents placed security as a top impediment to adoption.
Some believe these concerns are overblown. “The popular perception that the cloud is inherently insecure is wrong,” says Wade Baker, managing principal of research and intelligence at Verizon. “It seems to imply this relationship with the cloud is untrustworthy or higher risk.”
At a minimum, companies should know exactly what practices their cloud vendors are implementing because there is a lot of potential risk in a “perimeter-less” environment such as the cloud. Following are several issues that are of critical concern with the cloud.
One of the top cloud application security issues is lack of control over the computing infrastructure. Moving to a cloud computing environment means handing off control over the networking infrastructure, including servers, access to logs, incident response and patch management.
The model is different. The cloud is a potentially hostile environment with all kinds of applications and data residing there, not just the data from one organization. All the components that traditionally have been very trusted are running off-site. Clouds rely on openness and flexibility, with either public or subscriber availability that challenge many of the fundamental assumptions that held true for closed network security.
One example involves data being logged to a on-site secure server within a secured network. In such a case, the data can be left unencrypted because of the perimeter security of the network. With the cloud, however, any unencrypted data is at risk due to the public and shared nature of that network.
Another example involves firewalls. In an on-site infrastructure, one can simply drop in a firewall wherever and whenever they are needed to add security to the network. In cloud networks, that can’t be done. Moreover, traditional software tools don’t work the same way on cloud infrastructures because they are a shared environment.
Threats to the cloud are similar to those in private, secure networks:
• Data breaches and data losses. Because these are third party servers that allow virtual access to its customers, any attack on these servers can, potentially, affect all the data.
• Account hijacking. Because physical access to data is given to clients through user accounts, if any account is compromised, it is possible that a hijacked account can affect other accounts. There is also something called privilege escalation attacks, which can exploit user level access rights of other accounts.
• Non-secure APIs. If the cloud provider isn’t using the right APIs, they are subject to calls that can be spoofed, or they can be hijacked for infected data transmission.
• Denial of service. If the cloud server farm is not properly protected from DoS attacks, it is easy for a hacker to use them to lock up the site and keep other, legitimate users from getting service.
• Malicious insiders. While rare with top cloud providers, not all providers are created equal. When providing sensitive data to these third-party providers, it is important to know the organization has a secure and trustworthy team.
• Shared technology. This is the new landscape. Cloud statistics have shown that most of the security issues revolve around shared resource technology adapted to the cloud. It is now possible to compromise all the data in a cloud, not just one user’s data.
• Insufficient due diligence. Cloud computing requires a lot more work to figure out how robust the cloud provider’s infrastructure really is.
Overall, on a global level, the issues with cloud security aren’t that much different that they always have been. However, with the cloud being shared technology, it requires a much different approach at the “street” level. That part will be dissected in future articles.
Because both the cloud and the IoE are evolving, it is difficult to say, with any certainty, exactly how the two will interact in 5 or 10 years. But there is no doubt these issues will need to be understood, solved or contained because the cloud is very real and there is an almost universal movement to connect everything to everything else using a Cloud of Things.
When this will become a reality, and what it will look like, is still being determined. But to paraphrase UCLA Bruins football coach Henry Russell (“Red”) Sanders, “Security isn’t everything. It’s the only thing.”