Never Secure Enough January 28, 2009
Posted by Chuck Musciano in Leadership, Technology.Tags: Security, Users
trackback
Many are predicting that 2009 will be a big year for The Cloud, wherein many companies will move many of their applications to the cloud, away from premise-based servers and storage. A lot of the conversation about this revolves around network speeds, processor virtualization, and storage aggregation. Although all of that is important, I’m more concerned about security. More specifically, who in the cloud can see my data?
When I host an application internally, I have extremely tight control over access. Not just who can use the system, but how the administrators can access the system and the underlying data. We have layers of controlled access with specific checkpoints and audit trails. Every access must be justified, documented, and audited on a regular basis.
When I shift a system to the cloud, I typically retain the ability to manage end-user access, but have no control over administrative access at the other end. Of course, the hosting company will swear up and down that every precaution has been taken to keep anyone from ever seeing my data. In reality, I have no idea what they really do behind the scenes, and I have no way to completely verify their claims.
The recent Twitter hack is a great example of this. An admin at Twitter used a plain word (“happiness”) as their password. This was hacked by a person using a simple dictionary attack, trying every possible password until they broke in. Once inside, they had immediate access to the Twitter management tools and proceeded to gain control of a number of high-profile Twitter accounts. Fortunately, Twitter is a lightweight application with no important data that could be compromised. Still, people were embarrassed and disrupted by the penetration.
A chain is only as strong as its weakest link. A system is only as secure as its weakest access point. When you move your systems to the cloud, your data is only as secure as the worst password used by the least experienced administrator.
I believe I’ll wait a bit longer before moving to the cloud.
[tweetmeme source=”EffectiveCIO” alias=”http://j.mp/cio161″ only_single=false]
The Effective CIO 
A bit of devils advocate here:
I think there is the concept of risk here and the tradeoffs. If it is a commodity item and that data is say simple reference data then the cost effective nature of a cloud, SaaS and ASP may work.
Also, if cost pressures drive you to the cloud, you can still do penetration testing and a myriad of risk management functions against the black box – just like the hacker!
[…] readers know that I have some strong concerns about cloud computing, especially in the arena of security. I’ve enjoyed a number of vigorous debates with both vendors and fellow CIOs regarding […]
but what about data leakage via the mobile device? do you have any kind of endpoint security for the mobile device?