Monday, November 29, 2010

On Securely Making Cloudy Claims About Cloud Security

PC World reported on the speech by a former hacker known as MafiaBoy, who was arrested for lots of insidious activities. Now, he was a guest speaker, in Toronto, Canada, at a forum organized by a well-known Japanese storage vendor.

His contention was that Cloud Computing has serious security vulnerabilities and that Security is an afterthought among vendors.

I am certain the reformed hacker is a very, very, smart man. I am positive, no amount of security can be enough to ever guarantee perfection. However, the whole approach and message was a bit yawn-inducing for me. He was restating the obvious, wrapped in a bit of irresponsible FUD (fear, uncertainty, doubt), with a ribbon of future "I told you so" claims tying it up nicely.

That is like someone being arrested for throwing medical trash into a town's water tank, and then going on CNN or Fox News Channel to make a generalized claim, like, "There are serious vulnerabilities in our whole nation's public drinking water supply." That person can then sit back while people wonder if they should all be drinking bottled water only.

Some of the other contentions of people who like hearing that kind of message, commenting at the PC World site, were that Cloud Computing is nothing but Client Server with a new label. OK, if someone said Cloud Computing is sort of like On-Demand Computing — but with both the ON and the DEMAND parts kicked into high gear in the marketplace — I would have agreed a bit.

Yes, of course, many of the concepts of Cloud Computing are derived from the evolution of previous computer system architectures and paradigms. But, if Cloud Computing is exactly the same as Client-Server, then it is even more "same" as mainframes and dumb terminals of yester-century.

For the first time in modern history, the true power of the Internet can be harnessed by every one, and every business, at every level, for almost every function, with the same type of access previously only giant multinationals could afford.

Even with the Internet boom, the overall benefits to us, ordinary people, were limited in type and scope.

We could enjoy email accounts of our own. With a bit of web hosting, using $5 per month packages, we could put up web sites as slick as the biggest multinationals (whether someone ever visited our web sites or not).

But, we could not venture into scaling beyond those basic limits.

A company with 20 employees could not afford true ERP or CRM solutions. An art movie studio with 5 creators could not expect to take on a movie requiring 10,000 hours of rendering time, without their idea being passe' while their 5 PCs or Apple Macs chugged along for 5 years.

Now they can rent software as a service (SaaS), platform as a service (PaaS), or a ton of infrastructure as a service (IaaS) as and when they need, without needing a million Dollars budget.

These, and countless other, aspects of cloud computing are leveling the playing field for individuals and the smallest businesses, which no Client Server solution did.

The benefits big business are gaining from Cloud Computing are even more obvious. From hardware and software license cost savings, to energy savings, to better utilizing available resources with available headcount, reducing total cost of ownership for once without having to resort to the typical head count reductions of past years, are just a few. Quick provisioning of application development and test environments, in hours, affordably, and then spooling it down, are additional examples.

So, going back to our esteemed and honorable ex-hacker's contentions about Security, let's ask: Is Security important? No. It is not important, it is ESSENTIAL.

But, for anyone to say that Cloud vendors are thinking of security as an afterthought is absolutely ridiculous. It is even more silly posturing than politicians of all parties typically indulge in, with meaningless statements that raise their audiences' fear levels. Just recently I wrote a popular item, which discussed the Cloud Security Alliance's good work, especially in the area of enabling greater levels of governance, risk management and compliance in Cloud.

An important thing to keep in mind is that Next Generation Data Centers, with highly converged and virtualized infrastructures, are not being created out of thin air, with paper, glue and paint. They are being created by integrating, and hardening, existing parts of the solution stack - virtualization, network, compute, and storage.

None of these elements consists of some untested new gadget created in a lab by two geeks and their dog. Each element has industry leaders, and strong competitors. Each has its own security postures, needs and mechanisms. And, vendors who are putting together the entire vertical stack, either from in-house, or partner technologies, are all working to build additional wrappers of Security. Trusted Multi-Tenancy, authentication and access control, encryption of data at rest and in flight, are just some examples of additional wrappers being built around the "core-stack" and what is in the "box".

Is this all perfect? Of course not? But, even the most secure, non-cloud, current data centers of big corporations have shown how Security can be breached.

From millions of credit card numbers being stolen, to WikiLeaks, even when Security is the most talked about topic, e.g. in financial services, government, military, healthcare, etc., some "misguided" (read malicious) person can find a way into any system, or may already be inside the system (as an employee).

What is required is for people like the former hacker to specify examples of where they see major vulnerabilities, how they would fix them, or how they suggested the fix and some vendor(s) or clients did not listen. I will be happy to take him to industry leaders at industry leading companies even better known than the large firm he was a guest of.

But, then, he better have some specific risks and vulnerabilities identified, with specific recommendations and proposed solutions. Otherwise, there are plenty of people who can sit outside complaining about a "problem" without being part of a "solution." Who has got time for those.

What do you think vendors need to pay more attention to, immediately, to make Cloud Computing more secure?


Imran Anwar is founder of Internet email in Pakistan, co-founder and co-owner of the .PK ccTLD of Pakistan, and founder of the credit card industry there. As a New York based technology, cloud computing, strategy, marketing, media and business professional he is often seen and heard on global media like CNN, Fox News, Express TV, WWRL and many others. These are Imran's personal opinions and do not necessarily reflect those of any employer, parent company, client, family member or other persons or organizations. Phew!

Technorati Tags: , , , , , , , , ,

No comments: