Insecure State of the Union
Cloud security enthusiasts and evangelists will be quick to downplay the significance of the latest “cloud compromise” news: “Hackers deface 49 Congressional House websites after State of the Union” Whatever any of them say, the reality is what it is – government data does not belong on the cloud, period. “Shortly after the President completed his State of the Union speech, a well-known group of Brazilian hackers, Red Eye Crew, apparently had their own comments to make. Unfortunately, they decided to voice their Obama-directed profanities on House Congressional members’ websites. The same hackers had previously broken into sites for the U.S. Department of Transportation, the U.S. Department of Agriculture and NASA. Apparently all sites were hosted and managed by GovTrends, an Alexandria, Va.-based Web services provider. Likewise, 18 of the 49 hacked sites experienced similar attacks less than a year ago, through vulnerability with the same vendor.”
The nature of the attack is irrelevant as there will be a lot of downplaying and marketing against what occurred: “It was a cross site script, data wasn’t affected”, “you can’t say all clouds are the same”, “it was the vendor”, “it was the coder“, any argument one chooses is relatively weak. Facts are what they are: A hacker group successfully targeted the Obama administration and 18 servers were compromised. It is clearly evident that government needs to stay as far away from the cloud as possible. There are many who very talented security professionals who make very good grounds for “cloud computing” and the reality of “security in the cloud” is – it’s non existent.
This recent compromise compounds this. I’m positive that “GovTrends” the “cloud provider” for the government whom was compromised had a security program in place. Had performed risk assessments, had firewalls in place, intrusion detection and all sorts of other nifty security controls. If they didn’t it is highly unlikely they would have gotten the contract to host government data in the first place. What this compromise obviously shows is that cloud providers will not get it right. The reason behind this statement is, the exposure is far too high.
ex·po·sure
1 : the fact or condition of being exposed
a : the condition of being presented to view or made known
b : the condition of being unprotected
c : the condition of being subject to some effect or influence
d : the condition of being at risk of financial loss; also : an amount at risk
When companies or governments maintain control over their own Information Technology environment, that party is aware of the controls needed for security. There may be file permissions that need be in place – in the case of governments – classifications need be in order. Security controls are known and there is (or at least should be) a high level of accountability. Administrators, engineers and managers of that data know their behinds are on the line. There is likely to be a greater emphasis given to the security of that system. There is likely to be a more focused and targeted method to secure the server or network. In a cloud environment it is solely word of mouth along with a Service Level Agreement and whatever marketed security writing the cloud provider cleverly mangled together. Certainly whatever GovTrends promised didn’t pan out as expected. Again – this is evident by the compromise – nothing to debate here move along.
Recently someone countered some of my writing and quipped: “You can’t “technically debunk” the cloud. As with all security decisions, there is a trade off between “more secure” and “cost” and each situation requires its own risk assessment. A stay at home mom who knits in her spare time has no reason to set up her own web server and point of sale system so she outsources that to the cloud via eBay. On the “needs more security” end, the Federal Government has no reason to have each base in the military have its own email server so it outsources that function to large data centers, creating a cloud.” This individual I know – or at least perceive – to be highly knowledgeable in security on the CISSP, CISM level, perhaps he’s even highly knowledgeable on the technical level as well however, one cannot compare apples an oranges. My response to him was logical (at least from my perception) and since it was rather long response, here is the relevant snippet: “A stay at home mom does not have to worry about leaking out data on classified nuclear material, troops’ positions, nuclear football locations and the like. … For starters, a cloud provider isn’t going to let you assess anything beforehand obviously. So what should I do, rely on their experts? … This while the cloud evangelist sing “the cloud does not introduce any new security threats or issues.” He’s right, they’re not new security threats, they’re just amplified and beyond my control. No thanks… So while Sally the house mom can knit her little scarves, I as a consumer don’t really care what she does or where she does it. As an American, I am concerned with the marketing of the cloud as a “secure alternative” especially when it comes to military or other parts of government…”
Many still choose not to accept the reality of it (security in the cloud being non-existent). Perhaps the passion behind truly trying to achieve a “secure cloud” is what blinds them, perhaps it is the financial benefits – certain a billion dollar industry is nothing to sneer at. Reality is what is it – the moment you move your data elsewhere your exposure is a lot greater. I am willing to bet anyone that had the Obama administration kept their servers in-house, the likelihood of those attacks occurring would be non-existent. Remember, according to the article, this isn’t the first time hackers compromised that provider. Sadly, they were re-compromised with the same vulnerability. Fool me once shame on you, fool me twice?
JO
http://www.gather.com/viewArticle.action?articleId=281474978021691&grpId=3659174697241980
