jump to navigation

Never Secure Enough January 28, 2009

Posted by Chuck Musciano in Leadership, Technology.
Tags: ,

Many are predicting that 2009 will be a big year for The Cloud, wherein many companies will move many of their applications to the cloud, away from premise-based servers and storage.  A lot of the conversation about this revolves around network speeds, processor virtualization, and storage aggregation.  Although all of that is important, I’m more concerned about security.  More specifically, who in the cloud can see my data?

When I host an application internally, I have extremely tight control over access.  Not just who can use the system, but how the administrators can access the system and the underlying data.  We have layers of controlled access with specific checkpoints and audit trails.  Every access must be justified, documented, and audited on a regular basis.

When I shift a system to the cloud, I typically retain the ability to manage end-user access, but have no control over administrative access at the other end.  Of course, the hosting company will swear up and down that every precaution has been taken to keep anyone from ever seeing my data.  In reality, I have no idea what they really do behind the scenes, and I have no way to completely verify their claims.

The recent Twitter hack is a great example of this.  An admin at Twitter used a plain word (“happiness”) as their password. This was hacked by a person using a simple dictionary attack, trying every possible password until they broke in.  Once inside, they had immediate access to the Twitter management tools and proceeded to gain control of a number of high-profile Twitter accounts.  Fortunately, Twitter is a lightweight application with no important data that could be compromised. Still, people were embarrassed and disrupted by the penetration.

A chain is only as strong as its weakest link.  A system is only as secure as its weakest access point.  When you move your systems to the cloud, your data is only as secure as the worst password used by the least experienced administrator.

I believe I’ll wait a bit longer before moving to the cloud.

[tweetmeme source=”EffectiveCIO” alias=”http://j.mp/cio161″ only_single=false]


1. Bill - January 30, 2009

A bit of devils advocate here:

I think there is the concept of risk here and the tradeoffs. If it is a commodity item and that data is say simple reference data then the cost effective nature of a cloud, SaaS and ASP may work.

Also, if cost pressures drive you to the cloud, you can still do penetration testing and a myriad of risk management functions against the black box – just like the hacker!

2. Pick Your Bridge « The Effective CIO - January 18, 2010

[…] readers know that I have some strong concerns about cloud computing, especially in the arena of security.  I’ve enjoyed a number of vigorous debates with both vendors and fellow CIOs regarding […]

3. ahuvah berger - April 21, 2010

but what about data leakage via the mobile device? do you have any kind of endpoint security for the mobile device?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: