“Cloud” Computing Security
May 5th, 2010 Posted in UnspecificI am so tired of hearing about “Cloud Computing.” This is what we called ‘hosting’ back in the day. Application hosting, service hosting, server hosting, etc… all wrapped up into one trendy little package. This trendy little package is confusing some and making liars out of others. There is article after article about cloud computing that address one aspect of hosting and miss all the rest, therefor misrepresenting the author or the author just using what he wants to make the point he has been ordered to amke.
Here is a perfect example:
http://www.infoworld.com/d/security-central/cloud-computing-more-secure-you-think-575
Now, I have been working with Internet technologies for about 15 years and I have been doing computer security for about 10 years and I have been playing with computers and programming for about 30 years. I don’t consider myself an expert, but I am not dumb either.
Mr Roger Grimes here says that Cloud Computing is more secure than we really think. Based on what? Well according to his definition of cloud computing, which is not stated in the article, he says
“One of the biggest advantages of running a cloud is that a single fix affects all customers simultaneously.”
I need help with this one. Last I checked, there is still an OS, and the OS that the “Cloud” is running on is not one single virtual machine running on hundreds of servers at the same time. So how does patching one OS fix all your customers? MAYBE he means if you are selling applications as a service? If you patch that application they all get patched? If they all run off the same environment. Maybe I am just not familiar enough with the latest cloud technologies. Replication of data across database servers… wait, that means there is more than one again.
Here is my problem, articles like this don’t really say anything. It says that some “cloud companies” that he has reviewed have better security than some smaller companies because they are larger. Ok, but that has nothing to do with the cloud. That has to do with resources the larger company has available and what they are willing to spend to get the job done.
He also states that “An HTTPS-versus-HTTP transaction can run 200 to 300 percent slower.” and that Google turned on HTTPS for all of Gmail because it had the cloud. I want to know where the 200-300% slower number comes from. I want to verify that, because last I checked, servers were getting faster and faster, with more memory, faster CPUs, faster buses, and so on… I don’t think SSL add that big of a hit. But I could be wrong. That is just a big number to through out without any proof. So I do a little Googling. This one will confuse you… on the server side, HTTPS is ~10% FASTER. REF:
http://stackoverflow.com/questions/1468648/https-vs-http-speed-comparison
That being said, that is not a true exhaustive test, but it does show that HTTPS on modern servers and browsers does not add that much overhead. Another mark against Mr Grimes.
He does say, on page 3 of 3, that he is worried about the security of the cloud, but then says it is the same as today. Wait… you mean with _my_ data residing on the same servers as someone else’s data, where people I don’t know have the same access as I do, is the same risk as me having _my_ data on _my_ servers where only I have access? Maybe I am not the only one that is not understanding what the “Cloud” is. Once again, this is just hosting… Mail hosting, database hosting, etc… I have to say that if there is a flaw in that MySQL and someone who is paying the X dollars a month through the web sign up page roots the SQL server, they have ALL my data, assuming you didn’t pay enough to have a dedicated SQL server, then it is a different story. Then you have to worry about someone rooting the hypervisor of the virtual machine and gaining access to the host OS and then having access to all the guest servers.
The “cloud” is not as secure as hosting it yourself. It never will be. That does not mean it does not have it’s place. Small to medium sized business could find some great resources in managed hosting. Email, database, web and the like are easier to deal with if you are letting someone else do it and you can focus on your app. If you only need to host a blog, or a common web app, it’s easy to find a “cloud” company that can do it, so all the company has to worry about is content.
BUT, if you are a larger company and have real concerns for security, unless something changes, the cloud is not going to be a secure option. Something in the cloud is being shared and you can’t guarantee who else has access to it. I am not talking about the employees of the hosting company, I mean their other customers… shared firewalls, shared servers, shared applications. A hole in any one of these could allow another customer with nefarious intent access to your data. And the one who will look bad will bad will be your company along with the “Cloud” provider.
These services have been around forever. I have worked for a few hosting companies in my past. Some of them do a great job, others not so much. I am not saying that hosting is bad. I am saying “Cloud” is bad as it is a vague reference based on a Visio diagram of a large number of services. I am also saying that someone else hosting your data on shared equipment is never going to be as secure as you hosting it yourself or someone (who knows what they are doing) hosting it on dedicated equipment.
Good luck with the FUD, tell me where I made mistakes and as always, Enjoy;
Lee ‘MadHat’ Heath
