Cloud Security is not a binary question
Recently, an article in Pando Daily asserted that the “cloud” is secure — so, long live the cloud, stop worrying and learn to love the cloud. Right??
No. It’s a bad article with a simplistic view of the “cloud” and security spaces. Here’s a few reasons why:
Imprecise thinking: the author does not distinguish between the risks of IaaS and SaaS.
…But let’s focus on SaaS first. The author brings up several high-profile SaaS compromises, yet argues that internal IT resources are far-less equipped to manage protection of data than these specialized SaaS companies.
What he’s missing as part of the risk equation is how attractive these SaaS businesses are to hackers. Hacking the internal accounting system at your 200-person business isn’t a high priority for most hackers, because the return on investment for the time they would have to spend doing so may not make economic sense.
But hacking a SaaS-hosted accounting service that holds data for 10,000 businesses means more bang for a hacker’s buck. These services are very prominently on the radar of attackers in the way your business may never be.
Finally: you know what you are doing (or not doing) internally to protect your information, but in many cases it’s not clear what security measures these SaaS companies are taking. If any.
Faulty logic: “employee error” applies to SaaS/IaaS employees as well as to your own staff.
The author goes on to argue that 2/3rds of breaches are due to ‘employee error’ and other internal issues, not external vectors.
But don’t those SaaS/IaaS companies also hire people? People with faults, potentially as prone to error as your internal employees?
Think about it. Your data is in two places. You have now DOUBLED the opportunity for employee error or internal compromise. Your IT admin has an account to a service, which means he could be an entry vector into that data, but the employees at the SaaS businesses have access too. These businesses can be phished, they may employ a disgruntled staff member, they may be careless with passwords.
Now, let’s look at some of the issues with IaaS specifically….
IaaS providers may give you the tools, but you own the responsibility.
If you think Amazon, or RackSpace, or anyone else has anything beyond protecting itself in mind, you are dead wrong. Your box can be compromised a hundred times over, and no one will care until someone starts using it as a spam relay or a DDOS node. When it affects other customers, that is the only time your compromise becomes an issue for them.
It’s great when these providers have sophisticated security access controls, but in the end, they are only as good as your configurations. In many cases (I’m looking at you, Amazon), these sophisticated configurations can be difficult to manage, and users aren’t even aware what data and infrastructure they are exposing.
Not secure by default: Public Cloud means your infrastructure is internet-addressable, by default (and often by necessity)
In a private network, a bad password or a lazily configured server has a lower risk profile, because unless explicitly configured otherwise, they’d live NAT’d and behind a firewall. In the cloud, these machines can become an entry point into your infrastructure, by default.
In conclusion: security is the process of risk management.
It’s never a binary question. Any time you outsource something (whether it be data or infrastructure), any time you are involving another third-party with data you want to protect, you are introducing another level of trust and some level of risk.
It may turn out that the risk is manageable: in many cases the risk is totally worth it for the tradeoff of superior service, product, convenience, and cost. The cloud is here to stay, and people love using it.
Lazy articles titles like the one published by Pando Daily do everyone a disservice: what the world needs is more thoughtful consumers of the internet services they rely on, not people blindly parroting a soapbox of ‘YES THE CLOUD IS SECURE, USE IT FOR EVERYTHING’, or ‘NO, NEVER USE IT’.
These users should be thinking about the consequences when they are putting information online, and when they do choose to leverage cloud, demand more from the businesses that hold their data. That’s the only way “cloud security” will progress.
article cross-posted from: https://blog.threatstack.com
