Cloud Security: The Essential Question
“Cloud Computing: Who is in Control?” This was one of my all-time favorite posts from more than four years ago. Then at Burton Group, I’d become the cloud security analyst just as the technology industry, still reeling from the Great Recession, began to rise like a phoenix in the fire of cloud computing.
The control figure here became a hit. So far as I know it’s the first of its kind, but I’ve seen it reproduced or imitated by others. As recently as this June 2013 I found an article incorporating it with attribution and a nice comment from the author. The way my figure just keeps reappearing suggests that indeed, “who is in control” remains the essential question – but it just getting more complex, just as real clouds in the sky take many forms: stratus, cirrus, cumulous, etc.
Both my classic diagram and some variants I’ve seen all use my original color scheme, so that “as we move from left to right in the diagram and put more and more control in the hands of [public cloud] service providers, the outlook shifts from fair weather green to ominous red.”
The control figure here became a hit. So far as I know it’s the first of its kind, but I’ve seen it reproduced or imitated by others. As recently as this June 2013 I found an article incorporating it with attribution and a nice comment from the author. The way my figure just keeps reappearing suggests that indeed, “who is in control” remains the essential question – but it just getting more complex, just as real clouds in the sky take many forms: stratus, cirrus, cumulous, etc.
Both my classic diagram and some variants I’ve seen all use my original color scheme, so that “as we move from left to right in the diagram and put more and more control in the hands of [public cloud] service providers, the outlook shifts from fair weather green to ominous red.”
Red or Green, Security Pros Can’t stop the Cloud
Cloud computing seemed ominous five years ago, especially to security professionals. We’d say things like “Cloud will transform IT, but start with the low risk use cases” or even “Don’t put sensitive data in the cloud!” And yet the world moved on, with businesses increasingly vaporizing IT to the public cloud over all security objections.
In a sign of these times a new administration came to Washington in 2008 with visions of consolidating more than 2,000 Federal data centers; its Office of Management and Budget (OMB) proclaimed a strong mandate that new Federal projects most consider cloud computing. Hundreds or thousands of VMware, Citrix, Sun or Microsoft (HyperV) installations in private data centers were rebranded to suit as “private clouds” even if they really weren’t deserving of that name.
You can legitimately call something a “private cloud” if it offers push button self-service VM deployment (perhaps with workflow authorization) to business users. It is then a highly dynamic little replica of Amazon Web Services (AWS) within the constraints of its Service Catalog. But from the security perspective internal private clouds have more in common with dedicated IT than the likes of AWS because they remain under an organizations’ direct control.
IT security never really could keep all their sensitive data out of the public cloud. The question for security pros evolved from “IF” to ‘HOW MUCH” and may eventually just become “HOW?” And the diagram with its red, yellow and green colors looks increasingly simplistic – a typical big application today typically runs on a stack that’s more complex than SaaS, PaaS and IaaS and has multiple components and critical dependencies off to the side. Service providers leverage each other too. Think of a large travel reservations service with a devops team of 10 running on EngineYard (PaaS) hosted on AWS (IaaS) but also using other service providers for source code vaulting, credit card processing, service monitoring, service instrumentation and content delivery network. That’s the real world now. Who is in control of that?
Can we Trust CSPs (Yet)?
My original post asked “Can we trust [CSPs]?” and its answer was “no.” I wrote another post called “To Cloud Computing Vendors: Stop Practicing Security by Obscurity!” Since then, CSPs have dramatically improved their security capabilities and narratives, becoming at least a bit more transparent in the process. All along, security pros aligned with cloud vendors often argued that professionalized cloud solutions were more secure than dedicated IT groups could ever be, especially if they worked for a small business.
That begs the question: is it time to change the color scheme? Perhaps we can look to the original post for answers.
“I paint the functions these services control an alarming red. To see why, we must ask: Do they [the CSPs] provide assurances? No. The major public cloud computing providers generally offer no SLAs at all. They accept little or no liability even for the security measures their own advertising claims to provide. Can we trust them? The short answer is no. Their actual security measures are obscure, vulnerabilities undisclosed, and audits unimpressive.”
Pretty damning, eh? But its been almost 5 years since I wrote that. Is it still true? Partly. CSPs have gotten more sophisticated about offering some kind of SLAs and more of them have ISO 27002 or other certifications. The Cloud Security Alliance (CSA) has created its STAR Registry for providers to self-assess and provide some surface information customers can see without an NDA. But the actual security measures, when you get down to the details, remain obscure and vulnerabilities are definitely not disclosed as they sometimes are for premise-based software and hardware vendors offering similar functionality. Moreover, cloud customers have other major issues not mentioned in my old post, such as how to backup all the data of a large complex deployment, incident response and (potentially) secret surveillance of their traffic by government agents.
Planning Ahead
My old post concluded by saying that, in the end, it’s all question of risk management and whether or not it makes sense to use cloud computing depends on your situation. That’s a pretty generic answer! With the experience of time, let’s now at least ask: What does it depend on?
- How secure are the CSPs for your use case?
- How secure are these CSPs’ supply chains in your use case?
- How do you secure your use of the service with compensating controls?
- How well do you manage and coordinate operations with the CSPs?
- How will you monitor all CSPs on an ongoing basis?
- What is your business continuity plan?
Imagine asking that for each service you use and you’ll quickly see you need to develop an enterprise cloud security strategy and architecture to provide some repeatable methodologies and leveragable capabilities. I have been recommending that enterprises take this step for years and have advised or consulted with many customers on how to embrace cloud computing within their enterprise security program and enterprise architecture. If you have access to Gartner for Technical Professionals content, you should read
- Developing a Cloud Computing Security Strategy
- Determining Criteria for Cloud Security Assessment: It’s More Than a Checklist
In an upcoming post on this blog I’ll provide a summary of some of the key points from those documents and then go beyond their 2010 through 2012 thinking to focus on my second bullet which gets to the difficult question of how to assess security in “hybrid IT” use cases.