Cloud Computing Security: What About It?

I'm always trolling the Web for insight into the latest technology trends, and how these trends could impact both how we use technology and how it may change how we secure our data. During my pursuit for knowledge, I'll often run into bone-headed comments and blogs, and when I do, for the most part, I just shrug them off. Today's experience isn't one of those times.Through a series of Web clicks that I couldn't reconstruct if I tried, I stumbled upon this blog post from Howard Flomberg at Examiner.com. Flomberg says he's been reading about utility computing for decades, and I have no doubt as far as that is concerned. The concept of utility computing is certainly not new, and neither is the concept of virtualization, which has existed on mainframes for a long, long time.

But I do wonder why he, and many others, continue to confuse virtualization as "cloud computing" -- it is not. Sure, virtualization can be part of a cloud. But you could also have a cloud without virtualization. Likewise, running a few virtualized containers doesn't a cloud computing infrastructure make. Cloud computing is more about information and application services delivered via the Web as a simplified utility. While virtualization will be a fundamental of cloud computing, they aren't one in the same. But even this semantic nuisance isn't what got my feathers fluttering.

It's that Flomberg, and many others, seem to think that cloud computing is natively secure. It most certainly is not. Here is Flomberg's zinger, after he accurately described some of the benefits of cloud computing:

"By moving the application software and databases to their multi gazilion-byte servers you can concentrate on the product. Security - What about security? Off the shelf security has the CIA angered - they can't crack it."

I'm assuming he is talking about AES encryption. And it certainly is a good idea to encrypt data while it's traveling from the client PC to the cloud, and even while it is remotely stored. And there's no argument from me that encrypting data is an important facet of security -- but for an enterprise, this is only the beginning of information security as it relates to the cloud. And it's not even the end of the beginning. It is really just the beginning.

I have a few "what about security" questions for Flomberg:

For starters: What about making sure the data is segregated? If you need to be compliant with any one of the myriad of government and industry regulations, encrypting files without segregating them just doesn't cut it. Besides, you just don't want your high-value data to be co-mingled with your low-value data. Do you? Properly segregating data is something you'd want to do anyway.

Then there's the issue of in what country your data will reside. That's right: There are regulations in many countries that forbid certain types of protected data to actually leave the physical boundaries of a country.

What about having the ability to validate how your cloud provider keeps data secure? Or, even for the ability to independently audit their policies and processes?

What about the background of the employees and administrators hired by the cloud provider? Who will actually have access to your data? Even if it's encrypted, it can still be lost, destroyed, or your access to it cut. How does AES help you there?

What about your business continuity and disaster recovery plan?

What about data-loss prevention from the cloud?

How will your business manage identity and access management to cloud-based applications and data?

What about the fundamental security of the application code your cloud provider is using? I don't think buffer overflows and data injection attacks -- and all of the other application-based challenges we still haven't solved -- will just vaporize in the cloud. Please.

These are just a few of the security challenges that are arising from cloud-based computing, whether the cloud services are outsourced or you're building a private cloud.

To be so flippant about IT security as it relates to cloud computing, as to essentially say "what about it? -- just encrypt your data and you'll be fine" is as naive as it is dangerous. It is this type of shortsighted thinking about Web application security way back in 2000 that placed us, for the large part, in the application security mud we wallow in today.