Monday, July 23, 2012

Solving cloud security issues at the root


Cloud security is a popular buzzword in the security industry these days. New security challenges introduced by the cloud include issues related to compliance and law - such as where data is allowed to be located physically - as well as technical issues. However, we don't really face any new technical challenges. Cloud security in a technical sense is more a combination of old issues such as data segregation, virtualization and web application security.

It is of course important to deal with the new challenges posed by cloud computing. Standards and best practices are needed to allow for a secure transition to the cloud. The Cloud Security Alliance, a non-profit organization headquartered in Singapore, has taken on the task of providing the necessary security standards and is also providing education on the secure use of cloud computing.

Security vendors are jumping on the cloud security bandwagon as well, offering cloud security solutions as well as cloud-based security services. There is a market for these products for sure, but we should not let these products divert our attention from the fact that we are dealing with essentially the same problems we have been dealing with for the last 30 years: That the software, systems and protocols we build are inherently insecure.

In my opinion, this is a very important point. We like to go with the hype because hype sells. But we would achieve more if we would focus on the fundamental problems. And in IT security, the fundamental problem is missing security awareness - with system developers as well as end users. IT systems are designed and build without security in mind, and users are not aware of security threats. If we could only build secure servers, applications and protocols, and use them carefully, we would not have to add security solutions as an afterthought.

Imagine we had a new, secure operating system that is unlikely to be breached. Many of the security issues relevant to cloud computing and many other issues, including virus and malware threats, would vanish. With todays knowledge it would be possible to design a fundamentally secure operating system - only the market does not seem to see a need for it.

Web applications are another big topic in cloud security. Nearly all big cloud consumer applications are web based - examples include SalesForce CRM and Google Apps. While it is arguably difficult to build a truly secure operating system, building a secure web application is definitely something that's achievable. It would already go a long way if web developers could be educated to follow basic secure programming practices. If we would build secure web applications, we would eliminate another set of threats (and the need for a whole lot of security products).

Most other technical cloud security issues, like most other technical security issues, are related to secure architecture design and secure coding. Virtualization software has to be designed securely, and encryption of data in the cloud has to be implemented properly. Of course, all components used in a cloud infrastructure have to be configured securely as well, which is where cloud security standards come into play.

Granted, we are very far from a perfect security utopia where nobody needs firewalls and antivirus. Basic security principles such as secure coding don't have the hype factor of cloud security solutions. But I still think we should focus our efforts on the causes instead of fighting the symptoms if we want IT security to advance as a whole. This means designing and implementing more secure systems and applications, be it in the cloud or anywhere else.