Saturday, June 11, 2011

Comparing Local to Cloud Security

The first thing that prospective cloud users ask about a new cloud application is "What about security?".  It's a good question, and one that should always be asked when looking at a new public cloud based service vs. internally hosted “private cloud solutions”.  One of the things that I highlight for my clients is that when looking at the security implications of using a public cloud computing service, they should use a fair comparison.  They should compare the security of the public cloud to their alternative, usually an application deployed on their "private cloud" or locally hosted solution, on their own hardware located within their walls.  

This is the first in a series of articles that I will be writing to help answer how we can evaluate cloud security for our business and make good choices.  I want to peel away that first layer when evaluating security.  What you might find is that getting into minute detail on cloud vendor’s security scheme isn’t needed if you can’t afford to do the most basic things for your own locally hosted business system.   I’ll revisit some of the things I mentioned in the security section of my risks article.

I use the term “private cloud”  in this article to mean any locally hosted application infrastructure.

Physical Security

When evaluating cloud application security and comparing it to a solution hosted in your office you should evaluate what you have or might have locally then compare the "physical security" of the two solutions.  Do you, as a private cloud owner, secure your servers against physical access to prevent the extraction of your data (either electronic or complete removal of the server from your premises at night)?  Are your servers available to anyone that can get through the first door of your office or are they in a locked room?  Do you have any kind of security service watching your property and challenging anyone that tries to enter?

Physical security at data centers for Google and Amazon are pretty good, better than most Fortune 500 companies I'll bet.  There is a video showing Google security systems designed to keep vehicles caring destructive forces away from building, along with sensors and cameras to detect intruders (and that's before you can even get to the front door).  Although this is a bit over the top for many businesses, many cloud solutions will most likely be better than what a small company can afford.

Authentication and Authorization

When comparing local deployment to cloud solutions, you have to ask about authentication and authorization.  Do you enforce password complexity on your internal systems and applications to make it difficult for remote attackers to guess passwords?  Attackers don’t just sit around typing in passwords hoping to guess the right one, they have programs that try thousands per second.  Do you use “two-factor authentication”?  Do you have policies that define how people are authorized to access your systems and minimize physical and electronic access to your most private data or how you grant "full access" to your servers to your employees.  How often do you audit your internal security defenses?  Do you have a professionally configured firewalls to help prevent intrusion from outside?  Are your firewalls and other internal systems monitored so that you can detect an intrusion, or, if you are even under attack?  And last but not least, are all of these defenses continually updated with the latest firmware and software patches that come out to fix security holes?

If you are a small company, the answer to the questions above are most likely "no".  And if the answer is “no”, you are probably more vulnerable to data loss to the outside  than if you used a public cloud computing service in my opinion.

I continue to stand by my analogy whereby the security is more likely better at a cloud provider because of the  potential dollar loss to a provider due to a security breach as first mentioned in my cloud benefit article.  The analogy is similar to what happened in the grocery industry when large grocery chains caused grocery stores to be safer overall (from disease standpoint).  This is because of the potential dollar loss if it were found that contamination came from one of the stores owned by the conglomerate.  Grocery store chains spent a lot more money in food safety thereby lowering their risk and in turn, set the bar for food safety in grocery stores.  In the end, it’s been shown that consumers are safer.  I submit that because of the scale that a public cloud provider has, they’re motivated and can better afford to hire dedicated staff that monitors their systems for intrusion, protects their systems, and does pure research on how to improve their protection systems.  This is something most business can’t afford, unless they are a very large company.

If you are a small company, it doesn't take much effort for a good hacker to get through your defenses.  Many large company defenses fall when they come under concerted sophisticated attacks from multiple directions by hackers.  Sony’s gaming network has been down for over a month and exposed a lot of customer confidential information.  As soon as they thought they were ready to come back on-line, another one of their systems was penetrated by hackers.

Because of their scale, Google and others are starting to roll out “two factor authentication” in order to access their systems.  If you turn it on, you have to know your credentials (user name and password) along with having your phone with with you.  Why?  Because they send a one-time key to your phone via instant message that is required to log in.  Hence the “two factors”, something you know (your password), something you have (your phone).  There is nothing to buy or maintain since most people have a cellphone.  It’s a brilliant low cost solution for Google's users.  Because of the cloud provider’s scale, they can afford to implement this (along with other things) for all their users whereas most small businesses can’t.  Other cloud providers provide a device that fits on your keyring right that displays a number that changes every minute that is used as your second factor. If you have servers in your office, do you require “two factor authentication”?  If the answer is “no”, don’t feel bad, most don’t.   (Read my recent post about Google’s two-factor authentication).

Before you fire up your response about how something like RSA Secure ID is a lot more secure implementation of “two factor authentication”,  my point here is that for a small business, this is too expensive and I don't think most businesses need it.  Solutions like Google’s are like a free upgrade in security.  It may not be military grade but better than what you are probably using today and difficult enough to force attackers away from that attack vector.  In my opinion, if you are under attack where your cellphone SMS messages are being intercepted in order to break into your data, you're in a different class of security needs and need tools that go way beyond what most businesses will need.

Workstation Security

Sometimes all it takes is a simple phone-call to convince an employee to give up their password.  This happens when they think the call was from someone in their IT department or security company (known as a "social engineering attack").  Employees are continually receiving e-mails that may look like they are from someone they know asking them to look at an attachment  or go to what they think is their banking web site that actually installs a virus on the company network (known as a "phishing attack).  Another known method of infection are employees that bring malware unknowingly located on a USB drive and inserting it into a company computer.  Ask the Iranian nuclear enrichment center about the last one :).  The number of possible infection and attack vectors are huge.

Dave Fisher, my trusted security expert, pointed out that many hackers (or hacker gangs ) avoid the frontal assault on corporate systems.  The best way to access company information is to penetrate an employee’s PC, which allows them to launch direct attacks from inside the company.  If you are a small business, a compromised employee PC can mean your entire operation is compromised as the attacker gains full access to all your key systems and installs back-doors on your servers, network routers and more.  Many companies know this and, if they are like the Fortune 100 company that I work for, they continually upgrade employee PCs to patch the latest security vulnerabilities in the operating system and applications, upgrade virus and firewall software, and scan for other local nasties.

Many internal systems depend on the client storing data locally so that it can be used when off-site, since remote access is too complex for many small offices.  Therefore, your laptop hard drives should be encrypted so that if they are lost or stolen your company or client data won't leak out?  My company forces this software onto employee PCs, protecting lost or stolen PCs.  All of these scans and patches make my PC almost unusable at times but it is necessary.

Does your company do do all of the above?  No matter which application solution you choose (internal or cloud provided), you still have to spend money doing these things.  Once you do all of these things I wonder if you have any cash left for servers, software and maintenance?

Nothing Is Completely Invulnerable 

A few months ago it was discovered that a company who's business it is to help secure other companies, RSA, was broken into.  RSA provides cryptographic software and secure authentication software and devices used by 1000s of companies and the military.  These tools help secure company systems  and networks against unauthorized access by intruders.  Many companies are worried about the use of their secure authentication software/hardware tools as a result of this.

This article in the New York Times discusses a security breach at Lockheed that may be the result of a security break-in at their security vendor, RSA.  WOW!
The SecurID electronic tokens, which are used to gain access to computer networks by corporate employees and government officials from outside their offices, are supplied by the RSA Security division of the EMC Corporation.  RSA acknowledged in March that it had sustained a data breach that could have compromised some of its security products. Executives in the military industry said Friday that Lockheed’s problems appeared to stem from that data breach and could be the first public signs of damage from it.  
If the above article is true, the implications are huge.  RSA recently started offering replacement of their SecureID tokens to customers that request it.  The point is, even after spending buckets of money nothing is perfect.

The point here is not to say you should ignore doing a security review of a potential public cloud offering but that you should not consider any solution, internally hosted or provided from outside, as bullet-proof.  Compare what the cloud brings to what you can afford to provide internally.  There are countless intrusions into corporate systems all the time, on systems thought to be secure.  Many of these companies have full-time staff dedicated to securing their systems, yet still they fail.  Don't assume that just because you can host your application internally it's going to be more secure than a cloud offering.  More likely, if you are a small business, it's going to be less secure since you can't afford the dedicated staff and continuous training needed to keep your systems secure (not to mention new hardware and software that come to market to fend off some new attack vector).  If you think the only way to protect your systems is to unplug and never be connected to the Internet, think again.  As Dave Fisher pointed out, nefarious attackers “jumped the gap” to systems that controlled Iran’s nuclear enrichment machines buy using a simple thumb-drive.  You can lock the doors, but you can’t always secure.

Where To Focus First

Neither private or public solutions can protect you from attack from within.  The strongest defenses can fall if an internal employee decides to extract information (the most common cause of a security breach). Where do you want to focus your money, and more importantly, your time, when it comes to security?  I submit that you should first focus your money on the things that protect you when using either private or cloud computing.  You’ll need to look at things like virus and firewall software, disk encryption, and internal policies that require users to keep their computers up to date and with the latest security patches.  Once done, consider utilizing cloud computing model where it makes sense.  Let your cloud vendor implement and maintain all the other protections and you can take  advantage of that and all the other benefits that come with this model.

Happy computing and... Let’s be careful out there.


No comments:

Post a Comment