Are You Thinking About Clouds?

I recent piece on Forbes puts forward a list of 10 myths about cloud computing. Most of them are quite sensible, but there is one that I have a bit of an issue with, because it is poorly justified and not properly explored. That issue is #6 on the list, on security.

Cloud vs. Internal Security

The actual myth and the author’s response is as follows:

Myth 6: Cloud Is Less Secure Than On-Premises Capabilities
Cloud computing is perceived as less secure. To date, there have been very few security breaches in the public cloud — most breaches continue to involve on-premises data center environments.

Advice: Don’t assume that cloud providers are not secure, but also don’t assume they are. Cloud providers should have to demonstrate their capabilities, but once they have done so there is no reason to believe their offerings cannot be secure.

Let’s explore the different components of what was written here, because there are problems. The first sentence is the easy one: cloud computing is certainly perceived as less secure. I wouldn’t disagree with that statement. I believe that the perception is that cloud computing is less secure than running things in your own network and on your own servers. The perception may not always match reality.

But the second sentence, about there being “… very few security breaches in the public cloud…” is entirely flawed logic. Why would “… most breaches continue to involve on-premises data center environments”? Um, because there are more of them? Like, a lot more? That’s like saying “well, the Ferrari 458 is safer than a Honda Accord, because more accidents happen in Honda Accords”. In terms of total accidents, yes there are more. But that’s because there are, in North America, somewhere around 3 million Honda Accords on the road. There are only 20,000-30,000 Ferrari 458’s. In simple terms, you might expect there to be about 100-150x more accidents with Accords because there are 100-150x more of them on the road. But if you look at accident rates, the Ferrari may be worse because it may be driven in ways that are more dangerous.

The totals don’t matter, it’s the comparative rates that count. Just because there have been comparatively fewer security incidents with public cloud services doesn’t make them inherently more secure, as implied by the statement.

Security Is Partly About Control

When I put something on a Cloud server, I am giving up control of some aspects of my environment. I am dependent on the Cloud vendor to keep their firewalls, routers and such configured properly, to run proper intrusion detection technologies, to man a 24×7 monitoring system (and actually pay attention to it) and to keep up with software and firmware updates. I expect them to perform some due diligence in their hiring practices. I expect them to conduct regular audits and penetration tests. I need them to have proper incident response processes in place, and keep them fresh and up-to-date. I need to know that they are maintaining proper physical security on their datacentres. I expect that they’ll constantly train all their staff on security, particularly around social engineering attacks.

When I run my services on my own network and servers, I have more control over all of that. I can take steps necessary to hire the right people, and to keep them current in their security skills. I can control the processes and procedures. I can know, with a degree of certainty, just how secure my environment is. I can bring in outside firms to check my processes and environment, including penetration tests to verify it is reasonably secure. Can I make it 100% secure? Sadly, no. There will always be weaknesses, and mistakes will sometimes get made. I can take steps to minimize them as much as possible, but I’m not so naive as to think I can achieve perfect security.

There is another element of security that remains in my control: government access to my data. If a representative of the government, such as law enforcement, shows up demanding data, I can take steps try to prevent that before the data is handed over. However, if my data is sitting on a cloud server, then I am dependent on the vendor putting up a fight, and they may not want to (or have to, if it says so in their terms of service).

That Isn’t To Say Clouds Are Insecure

What I’m not saying here is that a cloud service is inherently insecure, or that it is necessarily less secure than something I can build myself. I am placing a bit of a bet on a cloud provider, but I also recognize they have a business to run and a reputation to maintain. Poor security will eventually kill off a vendor, so they know they have to take steps to maintain a secure environment for their customers.

But just how far they are willing to go, and what I can expect, will vary. If they aren’t charging a lot for their service, don’t be surprised if they cut a few corners here and there to maintain a profit margin. Not enough to put everything at risk, but maybe corners that you or I would not have cut if we were running it ourselves.

An Overlooked Topic: Availability

One item that did not come up (possibly because it would make the list 11 items instead of tidier 10, although Myth 4 is pretty weak) is one about availability. When I offer a service, I don’t just need it to be secure, responsive, scalable and cost-effective. I also need it to be up and running 24×7. Like security, this is also about control.

Sure, I can built out all kind of redundancy within a cloud-hosted environment, much as I would in my own datacentre. But it isn’t just the redundancy that counts here. It is also looking for, and actively avoiding, single points of failure. Certainly, I would expect most cloud vendors to be diligent on this, but I have no real guarantee that they are.

A few of the major outages in big services (internal or otherwise) over the past decade or so have been because of single points of failure. Blackberry had parts of their services interrupted a couple of time because of the loss of a single component that had no redundancy, and no one noticed. The NYSE had a similar issue happen early in the 21st century. Given the complexity of networks and systems, it can certainly happen. When you add in multiple groups and their own bureaucracies, it is entirely possible that two groups assumed that the “other guys” would have detected the problem, when it turns out neither was looking for it.

But, again, with something within my control, I can take steps to minimize the risk. I know that it won’t go away completely. Again, people will make mistakes. But I can put processes in place to keep the risk low because I control it. I can’t control how a cloud vendor does their job directly.

But Cloud Services Are Not All Bad

Frankly, I think Cloud services, particularly cloud-based generic servers, are brilliant. If gives me, as a small business, flexibility and computing power for a cost that is typically less than what it would cost for me to do it myself. I’m not just talking about the cost to buy or lease the servers. I also don’t have to buy all the supporting gear (routers, firewalls, racks, power, cooling, security) to run those servers. I don’t have to hire full-time IT to run them.

But if what I’m working on is going to grow (not that I am, just saying), I will seriously look at running my own gear in my own facility. But a cloud service lets me get started for minimal risk and minimal cash outlay. Certainly, look at the cloud and cloud-based services. But beware of the tradeoffs, and make those decisions intelligently.