Thursday, June 11, 2009

Looking at things through "cloud glasses"

I was happy to see the last posts from Alan Shimel about the incident on LxLabs and what that means to "cloud security". Not only because I think he is right about using it as an example of why we should think about cloud security but also because I like his "anti-hype" posture. Ok, that specific incident may be related only to one of the several aspects that define "the cloud" (according to Hoff, "multi-tenancy" - and the implications are mostly to "public Cloud providers"), but that doesn't mean that it there is no implications on cloud security discussions. And I'll try to go even further on this analysis.

If you look at the incident characteristics it's easy to relate that only to multy-tenancy environments, but this can also be seen as a sign of higher impacts (and rewards to attackers) when leveraging components to multiple users, users being not only multiple organizations but also multiple applications, guest OSes, networks or anything else that can share a common resource base. Sharing an (elastic, on demand, whatever) common resource base is probably one of they concepts of cloud computing, so yes, we should connect that incident to cloud security. It's not a "one to one" relationship, but it makes sense to look into the causes and effects of that fact under "cloud glasses" (WOW, I've just created a cloud-hype-term!). And that's also why I think that Schneier is not completely wrong when he says that we have been there before. We have been sharing computing resources from some time, let's look into the old stuff without prejudice and see what lessons learned at that time can be applied to the new context. I'm sure we can use a few.

Some interesting aspects that can be highlighted from this incident is how the security dependencies can sharply increase when you start to leverage cloud based services. Suddenly, the security of your data starts to depend not only on the security of the software and hardware that you own, but also on the security of software and hardware of the several service providers that are part of that offering. So, you are using Saas from X? Ok, and they are running their application over PaaS from Y, who operates over IaaS from Z. You are seeing X, but your security now depends on X, Y and Z. How can we do risk assessment for that?  I'm not saying that it's god or bad, just that it has interesting implications about risk management and trust.

Yes Alan, cloud security matters and LxLabs is a very good example to use.

2 comments: