Tomorrow Is Another Day

2010 January 27
by aeon

TMCNET posted a pseudo-interesting document this morning entitled “Cloud Security Recommendations” and, in an investigative and logical fashion, I decided to analyze what was said by TMCNET and what is being said by others in the industry. I hereby introduce the “Top 10 Ways To Waste Corporate Money on Cloud Computing Security Assessments.

For the past few weeks, industry sales personnel have been bombarding the media outlets with news of catastrophic events. The recent Google vs. China debacle — in which a backdoor created by Google had been compromised by China [1] — has been misunderstood by many in the industry. The understanding that “China’s hackers subverted the access system Google put in place to comply with U.S. intercept orders” is a far cry from theories of an “Adobe” or IE6 exploit. I am left wondering when the media will come around to reporting on this backdoor as opposed to solely revelling in non-sensical information that is — and will forever be — unsubstantiated.



Irrelevant? Sort of. If you’ve followed us this far (the blog), you will notice the word play inherent in that statement: “Irrelevant – sort of.” The fact is, the only thing that should be relevant to you is your data. Whether you are a business owner or an individual, data should be the cause of your concern. It is likely that this is how you earn your bread and butter.

In the TMCNET article, the author lists his ten security recommendations, so let’s have a look at them:

1. Those exploring cloud solutions should establish their risk appetite and evaluate offerings against it.

I state: Those exploring cloud solutions should take a logical approach and ask with clarity: What do clouds do? Answer? Usually Evaporate. Risk Appetite as explained by KPMG is: “the amount of risk, on a broad level, that an organization is willing to take on in pursuit of value. Or, in other words, the total impact of risk an organization is prepared to accept in the pursuit of its strategic objectives.” I will always use the same statement as experts to give credence to my points. So if you run into a lot of quotes, understand that I do this is in order to support my own claims.

Is an organization really ready to risk huge financial losses on the theory that a cloud will always be there? Logically, clouds in the sky evaporate; “technology clouds” are no different. There are many different problems with relying on a cloud for anything at all, so for an organization to have an “appetite” for losses versus rewards in this arena is mind boggling. We’ve already posted the numerous occurrences of outages from cloud providers, and it doesn’t take a financial wizard at the Federal Reserve to document the losses stemming from these outages.

2. Companies looking for cloud solutions should establish a cloud provider security risk profile and update it at least annually.

I state: Companies looking to waste money should waste their time and resources studying the inaccurate information provided by cloud companies. There is no mechanism to gauge a cloud provider’s risk profile. Anyone claiming they can do so is likely capable of selling you stocks in the up-and-coming sale of the Brooklyn Bridge. This fact was disclosed by ENISA who gave “cloud anything*” a high risk rating (page 22 [2]).

3. Those exploring cloud solutions should use a risk vector analysis matrix to evaluate cloud providers and those served by the same cloud vendor.

I state: See my counter above for number 2. The author at TMCNET is not telling us anything new. Why should I spend money that could be going to development and research to move my business forward to try assessing someone else’s business?

4. Make sure you evaluate the security program for cloud computing vendors up front and use it to narrow down potential vendors.

I state: Clearly there is little to be gleaned from the continuous marketing and overhyping of the cloud, since the security in the cloud is not-so-great. Not to be repetitive, but ENISA clarified this in R.2 LOSS OF GOVERNANCE: ‘There is no mechanism to perform an independent evaluation beforehand.’ “Hi Amazon? I’m thinking of using your cloud but I want to first validate on my own that you’re secure. Therefore I’d like to send a real world pentesting team comprised of listeners from Exotic Liability.” [4] How does the author propose that someone actually perform a real evaluation on a cloud provider and then validate the findings of that assessment?

The remainder of the article points out much of the same — nothing that we haven’t read elsewhere …



5. Ensure your contract with the cloud provider includes ongoing security reviews and language mandating immediate notification (within 24 hours) of serious security events.
6. Review the cloud provider’s HR and supply chain practices and employee background check process and hardware/software/equipment sourcing security needed to reduce threats.
7. Know the names of all other organizations supported by the cloud so that you can assess any increased risks they may bring.
8. Use common controls reviews based on the ISO 27000 and 28000 standards to reduce the assurance burden.
9. Address in your contract the legal risks like subpoenas, e-discovery and jurisdictional issues as well as technology licensing issues.
10. Finally, conduct a cost/benefit/risk reduction analysis of vendors offering secure cloud solutions with hardened data centers, hardware isolation and other security fortifications.

Again, many of these have been addressed by ENISA and it seems that those pushing for businesses to “come to the Cloud” are constantly writing a barrage of articles that are similar to one another. Not one article has raised an eye-opening “Aha! So that’s how we will be secure!” There are far too many what-ifs. If only you secure your cloud dot dot dot ensure your cloud vendor dot dot dot… Don’t sell me a cloud, it’s possible that someone has already tried to sell me a bridge.


No comments yet

Leave a Reply

You must be logged in to post a comment.