Blogger: Dan Blum
Does cloud computing security need to be “secret”? Google, Amazon, Salesforce, and other cloud computing vendors seem to think so.
Eric Maiwald (Research Director for Burton Group Security and Risk Management Service) made an excellent post on the risks associated with resource aggregation in the cloud. He used the recent Rackspace outage to make his point that customers had better know their providers environment before using their services. In fact, there is a whole cloud computing incidents database on Wikipedia. What this all shows is that cloud computing is subject to the same (in)security dynamics as the rest of IT.
Over the years, security professionals have learned that security by obscurity doesn’t work. There is a balance to be struck between opacity (to the attacker), transparency (to the customer), and disclosure (by the vulnerability researcher).
Concerning transparency, I quoted John Clippinger's “A Crowd of One” book in an internal Burton Group email:
“Trust…can only exist as a consequence of mutual expectations being fulfilled. Trust requires measurement, feedback, and accountability. In most social networks, the consequences of low trust are high transaction costs, that is, constant monitoring, negotiation, bickering, and dispute resolution…The ability to build and leverage trust among members of a group builds social capital and significantly reduces transaction costs.”
That really got some discussion going! Research Director Drue Reeves blogged on Cloud Infrastructure Secrecy: Competitive Advantage or Disadvantage…
And Jamie Lewis, Burton Group CEO makes a great post within a post, here:
“Lack of cloud computing vendor transparency reflects the immaturity of the marketplace. If vendors think security is a competitive advantage, then they are sadly mistaken. And they will have to go through a painful cycle to learn that lesson.
At Catalyst 2008, George Sherman of Morgan Stanley gave a fantastic keynote for the IdPS track. At the end of the presentation, he said that anyone should feel free to come up to him in the hall and ask questions because, at Morgan Stanley, they don’t see security is as a competitive advantage. He pointed out how the financial services industry as a whole relies on confidence and trust to operate smoothly, which makes sharing information in everyone's best interests. If one bank’s security fails in public and horrible fashion, all banks suffer a loss in confidence. (Our current crisis shows just how true this is.)
Is it not fair to say that the same dynamic applies to cloud service providers? If one or more providers suffers the breach/disclosure/PR/investigations/fines cycle from hell, does it not harm all service providers? Isn’t this even more true when said “other” providers refuse to disclose (even to us) enough details on the security posture to allow a reasonable assessment of that posture?
It’s not just that they have to get used to being in the spotlight. It’s that they have to completely get over the notion that security is a competitive advantage. No one will believe them if “trust me” is their only answer. The “cloud industry” needs to understand that it’s in all of their collective best interests for the buyer to have a reasonably good feeling about the security of ALL providers in order for any one provider to be able to sell successfully on the real competitive advantages: service levels, price, performance, and ability to support business needs.”
And Research Director Bob Blakley concludes:
“I’ve got a really simple response to anyone who wants me to buy a security and availability pig-in-a-poke. It’s this:
You don’t want to give me details of how you handle security or what your availability numbers & history are. That’s fine, I understand. You obviously understand that I have to manage my risks, and without these numbers I can’t assess risk or buy insurance. So here’s the deal. We have three options:
- You tell me what I want to know, or
- You accept unlimited liability for breach or outage in our contract, or
- I take my business somewhere else”
That's really telling 'em!
Struggling to see how the following statement is true at all:
"The “cloud industry” needs to understand that it’s in all of their collective best interests for the buyer to have a reasonably good feeling about the security of ALL providers in order for any one provider to be able to sell successfully on the real competitive advantages: service levels, price, performance, and ability to support business needs.”
It may hurt uptake of the industry as a whole but it won't stop individual cloud providers from stealing a march on their competitors.
Cheers
Craig
http://cloudsecurity.org
Posted by: Craig Balding | July 09, 2009 at 03:20 AM
The body of your blog does not support the premise of what you're attempting to write about. Please add some specifics instead of drudging through generalities. What are they being "secret" about and what should change from the status quo today?
Having worked with all of these vendors, saying that they're not willing to state their security posture is silly. There certainly may be things that individuals don't like about a given vendors security stance and they aren't screaming to the world everything they are doing from the security point of view, but they've always been forthcoming with information when asked.
Posted by: Frank Johnson | July 09, 2009 at 10:06 AM
Frank - the vendors may have stated their security posture to you, but I know plenty of folks that feel like they're left in the dark.
Craig - sure, Google, Amazon, Salesforce, and others have stolen a march. But its only a matter of time before they have to clean up their act or I guarantee you that others will steal a march on them! And that'll be a good thing because we don't want anyone "too big to fail" do we?
Posted by: Dan Blum | July 16, 2009 at 09:23 AM