Highlights

Security and Risk in the Cloud, ongoing…

by  •  • Comments Off

There has been a lot of discussion recently about whether the cloud is the same or different. Most of the time, these chocolate-peanut butter (tastes great – less filling?) arguments in tech involve different levels of granularity in thought. On the one hand, everything is different, but on the other, everything is the same. So everybody is right… and wrong.

I can understand Schneier's point that the aggregation of computing resources (timesharing -> cloud) is similar, but I think he completely misses the changes in architecture and appears to ignore the changes in risk.

From an architecture perspective, the big difference between cloud and timesharing is the entire notion of "loosely-coupled" that dominates service-oriented architecture. In the early days of the mainframe, architectures were closed and security was dominated by menu-based access control. This worked fine based on the threat profile.

Today, the flexibility provided by "loosely-coupled" systems and open networks increases the attack surface dramatically (note that we have gotten used to this over the past 20/30/40 years but it is a significant change compared with timesharing). Add standards to the equation and we have a number of dots that are connected in delivering any service, where each dot is a computing component but also an attack point.

On the risk front, the cloud has the potential to be significantly different to what you are used to. On the SaaS side, the value proposition to attackers is significantly higher if they can compromise a single application and potentially gain access to the data of many organizations. Of course, with SaaS there are also significant opportunities to enhance controls over configuration and patch.

On the PaaS and IaaS side, you can't ignore your neighbors and what they might be doing. The types of computing being done may impact your own installation. Consider the attacker that purchases his own compute VM with a higher incentive to escape the VM and get to the hypervisor level. Or on the business side, the possibility of being co-located with an illegal VM and having your compute resources being confiscated by authorities as they sort through illegal activity.

As usual, a full assessment involves understanding your relative changes as you consider the cloud – ask yourself what changes to your programs, data, and users.