Complexity is always a key factor for security decisions. In general, less complexity means more security, as simple is usually easier to protect than complex. A few days ago I read something about cloud and security (again J), something along the lines of CSOs concerned that cloud means more complexity so it’s insecure. Well, an interesting thing about complexity is that it doesn’t necessarily make things harder; generally it doesn’t matter how complexity the entire system is, but how much of that complexity affects you and your ability to provide security.
Take, for instance, ABS brakes; they are far more complex than plain simple brakes. However, they provide more security. Still on cars, the electronic fuel injection is more complex but easier to operate, at least in the driver’s perspective. Same thing for fly-by-wire systems and many others; they are more complex, but they reduce the complexity presented to the operator of the system. When that happens, it makes the device/system easier to handle, reducing the opportunity for human mistakes. There are more moving parts (and more parts that can fail), but the operator has to handle less variables.
Cloud computing is the same thing; highly complex environments such as Amazon EC2 will make a lot of things easier for you. You’ll have to directly handle less security aspects than you’d usually have by controlling your own data center, servers, etc. The security issues related to those components are still there, but they are being managed by someone else, who is probably relying on heavy automation in order to make this new system viable. That someone else can be Amazon, or can be the maker of your car; Microsoft or Apple, for your Operating Systems; and so on.
In the same way as ABS brakes had been first introduced in Formula 1 cars and later came to the “end user”, the same thing happens with computing technology. I remember when electronic injection cars were being introduced; a lot of car aficionados would complain that they were losing control to those little computer boxes that couldn’t be as good as the old carburetor they could fine tune by ear. Cloud computing has been maturing for quite some time, and is now being adopted by end users. The complexity is still there, but it’s so well managed that the end user perception in the end is a less complex system. In their security point of view, a system that is easier to protect.
ABS, Electronic Injection, Fly-by-wire, all those systems are trade-offs. Relying more on technology and automation to reduce the complexity presented to the human operator. It’s a fact, proven by numbers, that it works for those technologies. Does it work for IT security?