Security in the Cloud
I was at a conference recently, talking to a woman about our product. The woman was the security manager for a large organization. I had mentioned that we run our servers in the cloud, so we can easily scale, etc. etc. She commented something like “Oh, I would never be comfortable having my information in the cloud” I had heard this sentiment before, but never talked to anyone who felt this way, so I asked her why. She commented that she would be worried about having the information out of her control, and mixed in with all the other applications in the cloud.
I actually believe this is an artifact of the terms we technical people use for things. “Cloud” has been used for a long term, certainly predating cloud-computing by decades. In the jargon sense, “cloud” means “something that has some characteristics, but you don’t need to worry about how it works inside.” The internet itself was always portrayed as a cloud. You send a message into the internet cloud and it comes out the other side at a destination. You don’t care what happens in that cloud. By that meaning, the regular mail system is a cloud. But so are a myriad of other things: my car: I just push buttons and it goes; the supermarket: food just shows up there somehow; laundry: I drop my dirty clothes on the floor and they show up clean in my drawer.
The important thing to realize is that everyday you deal mostly with clouds. You can’t possibly understand the details of more than a few things in your life. And cloud computing is no different, except that most IT people are used to seeing racks of physical servers humming in their little air-conditioned havens. It is disconcerting to think of moving from a paradigm where you can touch all your assets to one where your assets are in some nebulous cloud somewhere.
But let’s examine the security issue by breaking it down into two attack vectors: internal and external. In terms of an external attack, there is little difference. If I have outdated patches, poor security design, etc., my physical server is just as vulnerable as my cloud server. However, my cloud provider may have more intrusion detection/prevention mechanisms than I can muster. Internal attacks are different. It is much easier to get into a server if you have physical access to it, because you can boot the machine from an external source and access the hard drive (assuming it is unencrypted). If you have physical servers, are they locked? How secure is the room? Do you ever have disgruntled employees? I think you see where I am going here.
Getting into a virtual server at a physical data center where cloud instances are hosted is a much more complex proposition. First, you have to get physical access to a highly secure data center. Second, you have to know which machine a virtual instance is hosted on. Third, you have to get physical access to that machine. Fourth, I don’t know. I don’t even know what it means to get physical access to a virtual server. It is probably a moot consideration since you can’t boot a virtual machine separate from some host. But having physical access to the machine that is hosting the virtual machine means nothing if you don’t have the credentials to get onto the virtual machine. Of course, the majority of data breaches come from external sources anyway.
OK, but doesn’t the cloud provider have secret backdoor access to all their servers? Amazon EC2 uses a public/private key pair to generate the initial password for your virtual server. (not sure how the other ones do it) You have the private key; they don’t. That means that they cannot get into you server, no matter how hard they might want to. There is a non-zero probability that they have some special version of Windows Server/Linux that has a secret backdoor password, but that is definitely in tinfoil hat territory. Of course, they have every incentive to make things as secure and private as they can. If they screw it up, they can lose tens of millions of dollars in business. Does your small IT staff have the same incentives?
Analogies are dangerous, especially in computing. They are always a simplification of a more complex situation. Sometimes they make us less cautious than we should be, like when people think of a cell phone as the same thing as a wired phone instead of a radio that transmits. However, I believe the cloud computing is one of the cases where our analogies make us overly cautious. We put too much stock in the security of the physical thing we can touch as opposed to the abstract concept somewhere else.