Cloudy with a Chance of Security

cloudysecurityIt’s an inevitability: enterprise architectures are moving to the cloud.  The logistical and financial benefits of commoditizing infrastructure are virtually impossible to ignore.   Exhibiting the traits of a true paradigm shift, there’s also little chance of going back.  You better get used to it.  But  every conversation about a cloudy future wouldn’t be complete without someone gripping their umbrella rather tightly, and raining down concerns about security.

Cloud connectivity has one chief disadvantage: exposure.

The naysayers aren’t just trying to be the proverbial stick in the mud (well, most of them anyway).  In a world of increasing software complexity and integration, exploits are common, and hacking away at such flaws yields unfortunate headlines on a weekly basis.  Even if this week’s exploits are covered, black hat teens may be socially engineering your administrator or the NSA may be thumbing through your email.  It’s hard to keep government operatives, Chinese Nationalists, and LulzSec pranksters at bay all at the same time.  Security concerns are legitimate.

In a response to the demand that company IP be protected, cloud providers have options in increasing order of cost/protection, and decreasing order of practicality:

  • Paranoid: All connections to the cloud are encapsulated within a VPN connection.  Encrypting all internet communications these days is probably a good idea anyway.
  • Paranoid Plus: Bypassing the internet – a dedicated data line is installed between a client site and the cloud provider.  Kind of like the bat phone.  May require a Bruce Wayne bank account.
  • Paranoid Deluxe:  The cloud provider brings all their stuff and installs it at your business.  It’s unknown if this means their employees will also sleep in your bathroom and raid your vending machines.  Very secure as long as your employees have no internet, mobile devices, or windows; consequently this is a great option if your workforce consists entirely of vampires.

But security concerns aren’t strictly limited to company IP, compliance is an issue especially in the United States relative to export regulations.  Besides Department of Commerce Export Administration Regulations (EAR) , there’s this little thing called the International Traffic in Arms Regulations (ITAR).

For those of you not familiar with ITAR, it is a labyrinthine set of laws designed to protect US national interests by limiting exports of sensitive materials and/or knowledge.  The aerospace industry in particular has been long seeking ITAR reform, since the cost of ITAR controls has badly damaged US competitiveness for relatively benign products or services overseas.  ITAR is typically something you don’t want be on the wrong side of, unless you favorite color happens to be orange.

Even in this extreme case, a cloud solution is possible, witness Amazon’s GovCloud offering, specifically designed to ensure data is tracked and never exported to keep people out of orange jumpsuits.

So what’s the bottom line?  Outside of the ITAR scenarios (for which something like GovCloud will be the only viable option) I predict that most companies really are just not going to care about anything more than the Paranoid level of security.  Nor should they, really.  Let’s think about this.

For one thing, employees tend to appreciate the internet, mobile devices, and windows at work (provided they are even in the office!) which renders some of the more extreme security measures somewhat questionable in their effectiveness.  What added advantage does on premise security have over cloud security, if the workforce is viewing documents and email on their smart phones while at the airport?  It’s getting too late to stuff data back in black boxes unless absolutely necessary.

Another often forgotten point regarding existing on-premise infrastructures is that they exhibit much of the same vulnerabilities, as paths to the intranet and internet are virtually unavoidable.  The difference is that the level of exposure is greatly reduced.  However, even though the IP is locally stored and physically protected, software and hardware is often not kept up to date with the same rigor because of cost and resource limitations.  Failure modes introduced by unique architecture, customization, unpatched vulnerabilities or human error are definitely more common in comparison to a commoditized cloud equivalent.  You might note that cloud services in the past have been in the headlines for some rather egregious security holes – but at least you have all kinds of security expertise actively testing those.  The same can’t always be said for on premise where staffs are smaller and expertise may not be as robust.  Then there’s physical security – some business (especially A&D) do pretty well in this regard, but others aren’t anything to be proud of when compared to the security planning involved with large remote data centers.

So the tradeoff is that added exposure from the cloud is mostly compensated by more robust physical security and tighter architectures, yielding an effective wash in most cases.  It won’t be enough to invalidate cloud approaches.  So as I said, you better get used to that cloud thing.

Are you ready?