Cloud security is not an oxymoron

Think your IT staff can protect you better than major cloud providers? Think again.

I just ran across Katie Fehrenbacher’s article in GigaOm that made a point I’ve been arguing (perhaps not strongly enough) for years. When you start talking to people about “the cloud,” you frequently run into a knee-jerk reaction: “Of course, the cloud isn’t secure.”

I have no idea what IT professionals who say stuff like this mean. Are they thinking about the stuff they post on Facebook? Or are they thinking about the data they’ve stored on Amazon? For me, the bottom line is: would I rather trust Amazon’s security staff, or would I rather trust some guy with some security cert that I’ve never heard of, but whom the HR department says is “qualified”?

And has your security guy, whatever his credentials, installed the latest OpenSSL patches? Amazon has. Google has. And I would bet that every other responsible cloud provider, certainly including Rackspace, Joyent, has. Azure never even had the problem (except on Linux images), since they weren’t running OpenSSL. A month after HeartBleed, more than 2% of the world’s online sites still hadn’t patched OpenSSL. And of course there have been more patches since then.

The argument Fehrenbacher makes is particularly interesting, since it hinges on the NSA and the revelations about their spying activities. It’s easy to say “yeah, Google is this great candy store of data, they’re in the cross-hairs.” Don’t kid yourself. If the NSA wants your data, they certainly know how to find you. Google and Amazon may be candy stores, but they’re at least candy stores with great big locks on the doors (and, at least for Google, using secure connections between internal servers). Can you protect your data as well as they can? It’s not just the NSA: it’s other governments, it’s organized crime, it’s even script kiddies. A recent experiment shows that, for as little as a penny, users will willingly download and install malware. The surprising, and gratifying, part of Fehrenbacher’s argument is that IT managers are realizing this, and are moving data to the cloud as a way to improve security.

I get it: there is a lot of data that can’t move to the cloud, not because IT managers don’t understand the issues, but because they need to comply with regulations that were designed before we understood the scope of our security problems. If you’re in one of those businesses, which includes most of the health and banking sectors, you’re out of luck. But if you think that your IT staff can protect you better than the security teams at the major cloud providers, think again.

tags: , ,

Get the O’Reilly Web Ops and Performance Newsletter

Weekly insight from industry insiders. Plus exclusive content and offers.

  • Guest

    haha “Don’t kid yourself. If the NSA wants your data, they certainly know how to find you.”

  • Iwan

    Haha, what big locks are you talking about? With the law in US they can get any data they want just by asking.
    If the inhouse IT (and I do not talk about Kiddy-IT) is good (usually means you have to find the people and pay them well), then it is not that easy for NSA and Co to get your Data. The laws we have in many Countries are there, because NSA cannot walk in everywhere, just because they want to.

    Of course I agree in case your IT-Department does not have any qualified people, then Cloud Providers may be better. But are you sure they do not work like your corp and use the same argument “..whom the HR department says is “qualified”?”?

  • Thomas

    That sounds to me like a guy who doesn’t know what he’s talking about. He always “trusts” the guy he doesn’t know, the farer away the better.

  • emu

    In the end it’s not a really matter of security know-how. Google has plenty of that. IT departments of other companies (big and small) have it too. It’s a matter of trust. And trust cannot easily be rationalized.

  • Mark Murphy

    The author appears to only be thinking of one issue: a direct attack attempting to get your organization’s data. In that respect, the author is probably accurate.

    However, the risk of centralization comes from dragnet attacks, where the attacker is not looking for *your specific* data, but rather large quantities of data, which will be analyzed after the fact to determine what is and is not useful from that data. In this case, the fact that cloud providers are “in the cross-hairs” becomes more important. In effect, by going with a cloud provider, you are choosing to put yourself in the line of fire, fire that you might otherwise not be receiving had you kept clear of those providers.

  • Essex Photographer

    Not only NSA, but these days if anyone wants your data thay can find it.
    [url=!essex-photographer/c1822]Essex Photographer[/url]

  • Your work is very good and I appreciate you and hopping for some more informative posts. Thank you for sharing great information to us.
    Air sofa cum bed