Here’s a shocking statement for a lot of people in technology and especially outside of technology. “Your money is at greater risk because it isn’t in a cloud.” Here’s another shocker “Your medical information is at greater risk at your on-premises Doctor than if it were stored and protected by access control in the cloud.”
Is that shocking to you? If you aren’t shocked you probably know a lot about cloud technology. The cloud is more secure than most of the IT Departments, physical server locations, secure Government installation, and other environments than one might imagine.
Why Am I Writing This Blog Entry?
While I was listening to Steve Riley’s talk on AWS Security I started this blog entry. A few of the questions that were brought up made me realize how little of the physical and platform level security is actually understood. Even though this was about AWS it also applies to Azure, Google, and other cloud environments and platforms. After several weeks of studying Azure and several years of working with Cloud type technology at Webtrends this statement shocked me, “A bank or a medical entity wouldn’t put its data in the cloud.”* I couldn’t help but think that someone posing this statement as a fact (even though I know that it is absolutely not a fact) is sorely misinformed about cloud computing and technology.
Well, I wanted to retort this this statement myself, but Steve handled the question as a rock star presenter would. But I still want to elaborate on this topic. Also check my previous blog entry “Your Cloud, My Cloud, Security in the Cloud” (* See Addendum) as I touched on this topic from the vantage point of web analytics. What we have here is the conversation of data that truly needs to be secure.
Cloud Security – Physical
The cloud environments has physical locations all over the world. Each of these locations are not advertised or easily located. They are obfuscated and not listed for the reasons of security. Once you get to one of these facilities the location has numerous physical security restrictions including; time based access codes, security cards, some have retinal scanners, and the list goes on. In addition, many of these security methods are used concurrently with others.
In addition to this, people maintaining the cloud technology centers don’t have access to the data. They do not even know how, nor could someone specifically tell them how to gain access to specific drives or machines that have the data of specific instances without extensive work. That alone provides an immediate level of security, both for data and physically. That leads me to this next point.
Data Security in the Cloud
Having data spread across virtualized storage mediums is a step into another realm of security. For more than just security reasons data is spread across multiple storage locations. Because of the virtualized nature of this storage the actual data is located in a number of locations that is shared among machines. These machines are not maintained in relation to these storage points. The storage points are tracked by the machines, in secure ways, so that only an account can access that data. In addition to this spread of the data, the storage is actually moved from point to point on machine at various times to maintain uptime and redundancy. Because of this it also increases the complexity in finding this data by nefarious means.
One final point of physical security for data is that each customer, has completely segmented data stored in separate virtual instances. This separation is equivalent to two storefront businesses side by side. They are separated by a physical wall just like the manipulation of data in the cloud. This is important to grasp on many levels as nobody would question placing one business next to another – entire cities have existed for hundreds of years that way – so can businesses within the cloud.
Security at the Platform Level…
…I wanted to continue on this topic but I’m going to hold off. Right now for work and personally I’m researching a number of additional security ideas within the cloud. It includes physical, data, access control and other security principles. I’ll have that write up for for another day, inclusive of the platform level security.
…as for now, that wraps up this semi-ranting piece.
I’m inclined to think that physical security is a red herring. Many enterprises like banks or insurers use third-party companies for off-site storage of records and system backups.
The real security issue is access control. My company uses a cloud provider for document storage; I could give anyone my login information and they have access to the company’s data. Also, the entire data structure is vulnerable to theft of the administrative password, as this would enable a single individual to lock out everybody else, or simply add an additional user that the real administrator doesn’t know about.
Finally, you may be aware of the fracas that occurred recently around the Amazon Kindle and its document storage. You, the owner of the Kindle, do not own and have no control over the documents you “purchase”/load on the Kindle. (According to the ToS, you are not actually purchasing eBooks, you are leasing them.) Amazon can, at any time, decide to take back a document and you can’t stop them. They’ve done this a number of times, both because of copyright issues and because individual Kindle owners have pissed them off.
The point is that in a cloud, your cloud provider now “owns”/controls your documents. I don’t think that individual employees are going to hijack your data but I have no trouble at all believing that the corporation itself would make your data available to gov’t agencies or other corporations, were circumstances advantageous for such “sharing.”
That said, I don’t think there’s a practical alternative for most forms of data storage these days. The real challenge for “cloud computing” is that the applications are weak sisters compared to their locally-installed counterparts. To use an obvious, familiar example, neither Google Analytics nor WebTrends OnDemand offer the analytical power of a software installation of WebTrends at the enterprise. Another good example is Google Apps, which lacks the templating and macro infrastructure needed by most businesses that have a significant orientation toward production of business literature or documentation.
What drives companies to the cloud is the increasing cost of local infrastructure to maintain that higher level of performance. It’s not that the cloud is “better,” it’s that it is cheaper.
mp
This is a security issue in general, and not specifically for the cloud. So I’m going to ignore this particular point, but the next topic…
Again, the line you are drawing is blurred. You are talking about a company (Amazon) that controls the flow of the data for their tool/application (Kindle) taking back something that they have distributed to you. What they did I won’t say was right or wrong, but again, this is an application specific scenario and NOT correlative to the cloud. Yes, the application (Kindle Distribution) is in the cloud, but it could have been in any environment. The fact is that the application and the legal EULA/terms of service enabled them to do what they did. NOT a security paradigm.
No, the cloud provider doesn’t “own” your data. You own your data. The cloud provider can barely get to your data even if they tried with the controls put in place to disallow that type of thing. Even when the Government comes with legal requests and demands someone’s data it is absurdly difficult for AWS or Azure to get at the actual data – often times all they can do is provide the instances themselves and walk away from it. Leaving the Government to sort out the bits themselves. So again, even when the Government wants things from the cloud for legal reasons they often can’t get them without a large amount of effort.
Again, approaching the ideas and architecture of applications as if they are the cloud does not draw a correct correlation. So I’ll pick each apart…
1. Webtrends OnDemand, which is “kind of” in the cloud in the virtualized IaaS sense, is vastly more powerful in processing than an in Enterprise installed Webtrends Software Package. Google Analytics, again, is vastly more powerful than that. The reasons is simple, there are a zillion machines available for processing while any Enterprise is not going to dedicate that level of resources to processing. Black Friday, go sit in ops at Webtrends and you’ll see for yourself. This again goes beyond security, so I’ll leave it at that. As for processing power though, an in Enterprise Allocation of Hardware is going to have an extremely difficult time processing the volume of data a providers cloud can process. Just look at the number of machines Google has, or Amazon (if you can find the numbers, I know it is hard). Google alone has more processing power than most countries do, let alone some single Enterprise Corporation. Anyway, I digress, as I stated this is not a security concern but an allocation and processing concern.
2. Google Apps – Now you’re comparing web applications with the implied idea of desktop applications. At least, it appears. I agree with you in this sense. A Silverlight, Flash, Adobe AIR, or other RIA framework would probably allow for a much more interactive application than a web based HTML/CSS/JSript Application could ever hope for. Even HTML 5 & the starry eyed promises of the new standards don’t realy measure up. Again though, this isn’t a cloud security or data security issue. The cloud can handle document manipulation (and there are a number of customers that use clouds for this) at a huge volume, and process these documents by the thousands if not millions on a daily basis. Again, not sure why you’re broaching this particular topic in relation to security in the cloud, but it isn’t particularly valid.
Ok, now onto the last bit…
Sometimes the cloud is cheaper, sometimes it isn’t. There is also the problem, not of cost, but just of the fact that there isn’t time to scale up local infrastructure to the level the cloud can provide right now. There are a lot of reasons, price being one of them for sure, but by no means the only or primary one. Trust me on this one. 😉