In the Cloud, Don’t KISS.

Remember the Y2K dotcom era when every Tom, Dick and Harry rushed to ride the Internet bubble? It looks like many of us have forgotten our lesson, the instant Internet 2.0 (or is it 3.0?) made a comeback on a cloud, viz. Signing up for Cloud Services like you are applying for a credit card. Follow the herd mentality, you know.

To get smarter, faster, and better, go easy. And then act with speed. That’s how you win the race. Just because your competitor, your associate, or your vendor is moving to the cloud, doesn’t mean you mimic them without giving it any more thought. Think before you ink a SLA. Is your CSP (Cloud Service Provider) capable of delivering standards-based cloud solutions that are designed from the ground up to meet your specific enterprise requirements? Does your Service Level Agreement with your CSP also cover your requirements for monitoring, logging, encryption and security? Do you have the domain specific IT knowledge and expertise and the corresponding environment in place before signing up for a cloud solution? And are your security protocols in optimum functional mode?

Security protocols: Keep a hawk’s eye on them. In CIO circles, they warn you not to KISS (Keep It Stupid & Silly) when you sign for the cloud. KISS refers to common mistakes in an enterprise such as for instance, failing to to register your passwords and individual IDs with the enterprise; turning a deaf ear to demands for secure Application Programming Interfaces (API); and wrongly assuming that you are outsourcing risk, accountability and compliance obligations as well to the cloud.

The ironic party of this business of securing the cloud is the challenge of arriving at an ideal tradeoff between the need of the enterprise for security and the need of the consumer for privacy. The Economist in “Keys to the Cloud Castle” succinctly sums up this dilemma faced by cloud-based internet storage and synchronization providers like say Dropbox, using a house metaphor. Which do you prefer: An access through a master key which is in the hands of an authorized internal security or an access whereby you choose your own security key. The problem with the former is in the key falling into wrong hands, while in the latter case, the danger is in losing all access if you lose the key due to negligence. Cloud security scientists so constantly look to find a middle path that combines privacy with security.

Does this mean that a perfectly secure cloud computing is still a chimera? Happily for us, recent research in cryptography shows homographic encryption – a new algorithm which would enable a Web user to send encrypted data to a server in the cloud which it turn would process it without decrypting it and send back a still-encrypted result – is well on the way to become a pursuit of wow, among CIOs.

A clearly demarcated delegation of tasks between cloud providers and security providers could serve as a rule of thumb for ensuring both security and privacy. Cloud providers should focus on providing access, anywhere, anytime, while security providers should focus on core encryption. An integration of both these services can lead to a seamless and secure user experience. For example, you as an user encrypt your files directly on your laptop/desktop/phones, and then upload the encrypted documents to the cloud.

Bottom line: Don’t sign up for the cloud like you are applying for a credit card. Outsourcing your ideas doesn’t mean you also outsource your thinking..

For A Better Cloud Security – Wheel it Different, instead of Reinventing the Wheel !

Saas served as sauce? Wow. But only as long as it’s secure. And that’s where the penny drops. No matter. Big money now is way too big on cloud services. We can’t roll back the Age of Participation. The jury may be pondering on how secure is the cloud, but the verdict is only going to tweak “how secure is the cloud” to “how to secure the cloud”.

Yes, there is a cloud over the cloud. Less than a year ago, hackers stole 6 million passwords from dating site eHarmony and LinkedIn fueling the debate over cloud security. DropBox, a free online service provider that lets you share documents freely online, became “a problem child for cloud security” in the words of a cloud services expert.

The “Notorious Nine” threats to cloud computing security according to the Cloud Security Alliance (CSA), a not-for-profit body: Data breaches, data loss, account or service traffic hijacking, insecure interfaces and APIs, Denial of service, malicious insiders, cloud abuse, insufficient due diligence, and shared technology vulnerabilities.

However, a problem is an opportunity in disguise, and so the algorithm waiting to be discovered is to how to outsmart the hackers and overcome the threats to cloud security. More so, since the advantages that accrue from cloud services viz. flexibility, scalability, economies of scale, for instance, far outweigh the risks associated with the cloud.

One way for better cloud security is to use a tried, tested and trusted Cloud Service Provider (CSP) rather than to self-design a high availability data center. Also, a CSP yields more economies of scale.
Virtualized servers, though less secure than the physical servers they replace, are getting more and more secure than before. According to research by Gartner, virtual servers were less secure than the physical servers they replaced by 60% in 2012. In 2015, they will be only 30% less secure.

To do the new in cloud security, we could begin by reinventing the old. The traditional methods of data security, viz. Logical security, Physical security and Premises security, also apply to securing the cloud. Logical security protects data using software safeguards such as password access, authentication, and authorization, and ensuring proper allocation of privileges.

The risk in Cloud Service Offerings arises because a single host with multiple virtual machines may be attacked by one of the guest operating systems. Or a guest operating system may be used to attack another guest operating system. Cloud services are accessed from the Internet and so are vulnerable to attacks arising from Denial of Service or widespread infrastructure failure.

Traditional security protocols can also be successfully mapped to work in a cloud environment. For example Traditional physical controls such as firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Network Access Control (NAC) products that ensure access control can continue to be critical components of the security architecture. However, these appliances no longer need to be a physical piece of hardware. A virtual firewall, like for example Cisco’s security gateway, performs the same functions of a physical firewall but has been virtualized to work with the hypervisor. This is catching on fast. Gartner researchers predict that by 2015, 40% of security controls in the data centers will be virtualized.

Moral of the cloud: You don’t have to reinvent the wheel to secure the cloud. But we need to keep talking – to wheel it differently.