Should Companies Do Most of Their Computing in the Cloud? (Part 1)

Yes. No. Yes. Maybe. Yes. Okay, it’s complicated.

The economics of cloud computing are compelling. For companies, the lower operating costs, the lack of capital expenditure, the ability to quickly scale and the ability to outsource maintenance are just some of the benefits. Computing is infrastructure, like cleaning, payroll, tax preparation and legal services. All of these are outsourced. And computing is becoming a utility, like power and water. Everyone does their power generation and water distribution “in the cloud.” Why should IT be any different?

Two reasons. The first is that IT is complicated: it is more like payroll services than like power generation. What this means is that you have to choose your cloud providers wisely, and make sure you have good contracts in place with them. You want to own your data, and be able to download that data at any time. You want assurances that your data will not disappear if the cloud provider goes out of business or discontinues your service. You want reliability and availability assurances, tech support assurances, whatever you need.

The downside is that you will have limited customization options. Cloud computing is cheaper because of economics of scale, and—like any outsourced task—you tend to get what you get. A restaurant with a limited menu is cheaper than a personal chef who can cook anything you want. Fewer options at a much cheaper price: it’s a feature, not a bug.

The second reason that cloud computing is different is security. This is not an idle concern. IT security is difficult under the best of circumstances, and security risks are one of the major reasons it has taken so long for companies to embrace the cloud. And here it really gets complicated.

On the pro-cloud side, cloud providers have the potential to be far more secure than the corporations whose data they are holding. It is the same economies of scale. For most companies, the cloud provider is likely to have better security than them—by a lot. All but the largest companies benefit from the concentration of security expertise at the cloud provider.

On the anti-cloud side, the cloud provider might not meet your legal needs. You might have regulatory requirements that the cloud provider cannot meet. Your data might be stored in a country with laws you do not like—or cannot legally use. Many foreign companies are thinking twice about putting their data inside America, because of laws allowing the government to get at that data in secret. Other countries around the world have even more draconian government-access rules.

Also on the anti-cloud side, a large cloud provider is a juicier target. Whether or not this matters depends on your threat profile. Criminals already steal far more credit card numbers than they can monetize; they are more likely to go after the smaller, less-defended networks. But a national intelligence agency will prefer the one-stop shop a cloud provider affords. That is why the NSA broke into Google’s data centers.

Finally, the loss of control is a security risk. Moving your data into the cloud means that someone else is controlling that data. This is fine if they do a good job, but terrible if they do not. And for free cloud services, that loss of control can be critical. The cloud provider can delete your data on a whim, if it believes you have violated some term of service that you never even knew existed. And you have no recourse.

As a business, you need to weigh the benefits against the risks. And that will depend on things like the type of cloud service you’re considering, the type of data that’s involved, how critical the service is, how easily you could do it in house, the size of your company and the regulatory environment, and so on.

This essay previously appeared on the Economist website, as part of a debate on cloud computing. It’s the first of three essays. Here are Parts 2 and 3. Visit the site for the other side of the debate and other commentary.

Tags: business of security, cloud computing, debates, economics of security, essays, laws, risk assessment, risks, threat models

Posted on June 10, 2015 at 6:43 AM • 45 Comments

Comments

Jan Doggen • June 10, 2015 7:00 AM

Just curious:

“Criminals already steal far more credit card numbers than they can monetize”

Any data to back this up?

Bigfishinnet • June 10, 2015 7:08 AM

Terms of service a security threat: Cloud Computing requires terms of service. The nature / details of these can be a security threat to your data, online privacy, etc,etc.. Make sure you read them. At one stage the Prezi Terms and Conditions for example, there will be others…..

Jordan Brown • June 10, 2015 7:18 AM

Looks like a missing close-italics after Economist.

Andrew • June 10, 2015 7:50 AM

As soon as companies will have all their assets on cloud, the data relocation cost will be that high that the company becomes basically a cloud hostage.
And the cloud owner can rise the cost at will. And you can do nothing about it.

Javier Tánago • June 10, 2015 8:07 AM

Hello! After reading the article I think that it could be interesting to share our project. We are a team of Security Engineers with more than 25 years of experience and we have just developed a device to protect your data in the cloud, resolving the concerns reflected in the article. You will have all the benefits of the cloud but you will still own your data. If you want more information please visit http://smidcloud.com. Thanks and sorry for any inconvenience!

Rhidian • June 10, 2015 8:08 AM

Cloud is why I hate dropbox. It’s not bad per se, but, I believe, stores all its data on AWS. In America. Which, according to UK data protection laws, we’re not legally allowed to do. So when someone phones up and says “I just need to use dropbox…” aaagh! Although to be fair, I think this points to the UK data protection laws being out of date rather than any fault in dropbox.

Riku-Pekka Silvola • June 10, 2015 8:19 AM

ENISA (European Union Agency for Network and Information Security) recently released a Cloud Security Guide for SMEs which discusses the related risks and opportunities. In addition it includes a checklist that can be useful in evaluating cloud as an option, and important questions to ask from any potential cloud provider. While everything mentioned in the guide has been already discussed in detail it can provide a concise refresher on the important details to consider.

CouldntPossiblyComment • June 10, 2015 8:28 AM

@Andrew “As soon as companies will have all their assets on cloud, the data relocation cost will be that high that the company becomes basically a cloud hostage.
And the cloud owner can rise the cost at will. And you can do nothing about it.”

This assumes you use only one provider at design/migration time. It’s also, forgive me, a fair amount of FUD compared to the reality of cloud providers at least today. There’s sufficient competition that the public cloud providers are doing anything but raising their prices.

Besides, if you’re not doing off-site backups or replication out of a single cloud into something else, you’re probably doing it wrong for truly key data you can’t afford to lose. Cloud providers are providing services; the fundamentals of your data don’t really change that much. Databases are still databases, regardless of where they’re hosted. Blob & key/value stores are still the fundamental technologies they’ve always been.

Even that is ignoring the wealth of hybrid solutions out there. Plenty of ways to link virtual private clouds to your own WAN to offload peak load and enjoy better scaling without committing entirely. AWS for example has some great features for this.

I did hear an interesting design anecdote around cloud & security – if you can’t trust the network infrastructure you’re on, and you can’t trust the layers above your application, at least you’re designing from the right starting point.

keiner • June 10, 2015 8:47 AM

Is Israel also interested in the cloud, not only Iran and KAspersky? Who knows….

http://www.spiegel.de/netzwelt/netzpolitik/kaspersky-virenjaeger-entdeckt-virus-bei-sich-selbst-a-1037898.html

kronos • June 10, 2015 8:53 AM

@ Andrew “And the cloud owner can rise the cost at will. And you can do nothing about it.”

When my employer signs any contracts for IT services with outside agencies/contractors, controlling costs is a vital concern. And those contracts spell out the costs in as much detail as the bean counters (read: our accountants) need for their own purposes.

Yes, cloud providers can wreck havoc with poor business decisions including costs AND data security. But ultimately it is up to the I.T. staff on the inside to do their due diligence with cloud storage vendors.

My employer has avoided using any cloud services even though there is some push from upper management to do so. We find the issues of cost, uptime and security to be the big three that are hardest to manage.

65535 • June 10, 2015 8:57 AM

If you have a ton of junk photos, movies, and games you could probably store them on the “cloud.” You can afford to lose them.

But, if the data is sensitive and valuable then it is a different story. Anything from data loss to Price Gouging to data ransom could occur.

As the fictional gangster Sunny Steelgrave explained the facts regarding a payment dispute to a gun merchant Sikes who stored his auto rifles on Sunny’s docks, Sunny said to Sikes “We have your merchandize. Possession is nine-tenths of the law. The other ten percent we don’t care about.”

That precipitated a gun battle.

The question is if you give your data to someone else is it going to remain yours? What are you going to do about it if there is a dispute?

Eric • June 10, 2015 9:00 AM

For some of the points you’re making, it’s useful to separate out the idea of “cloud computing” and “software as a service.” For example, SaaS usually come with limited customization options. But “cloud computing” can mean hosting your own customized applications in a manner that allows users to access them without needing to be at a specific location or using specific hardware.

keiner • June 10, 2015 9:06 AM

…or in English

http://www.wired.com/2015/06/kaspersky-finds-new-nation-state-attack-network/

willy-nilly • June 10, 2015 9:09 AM

@Bruce:

Bruce, way back when, companies went to service bureaus to have their computing done, often being connected by a slow terminal. What’s different about Cloud Computing? Thanks.

rgaff • June 10, 2015 9:40 AM

@ Bruce said:

“The cloud provider might not meet your legal needs…. Moving your data into the cloud means that someone else is controlling that data.”

You are understating this here, Bruce… When you store your data in the cloud, legally, in the USA, YOUR DATA IS NOT YOUR DATA ANY LONGER!!!! IT FULLY AND COMPLETELY BELONGS TO SOMEONE ELSE!!! You don’t have to be served with any warrant for your data to be scooped up by the government… the cloud provider is served by a general warrant for all of ITS data. Therefore, it’s not your data, it belongs to whoever owns the physical machines it resides on… i.e. the cloud provider.

People need to think long and hard about whether they really want to just gleefully kiss their legal ownership of their data goodbye or not. In some cases this may be fine, in many cases, not, however!

grayslady • June 10, 2015 9:49 AM

Excellent comments, Bruce, in your Economist debate. Like you, I wouldn’t dream of participating in Facebook or LinkedIn. Why make it easier for anyone to obtain personal information about you?

Rufo Guerreschi • June 10, 2015 9:50 AM

As far as trustworthiness, it does not matter where you do your privacy-sensitive computing. What matters is the trustworthiness all critical processes and parts in the lifecycle of a computing experience, be it on “your” device or someone elses or on a hidden service …

plywood • June 10, 2015 9:53 AM

The structure of these cloud services leads to some poor architecture decisions.

Bruce is not at the level of working in these cloud systems, but their quirks/unexpected behaviour consume quite a bit of productivity.

Steve Scott • June 10, 2015 9:56 AM

“A restaurant with a limited menu is cheaper than a personal chef who can cook anything you want.”

But when the personal chef becomes cost competitive, especially if you live longer and healthier because it, then recognize that you can stop eating at those crappy restaurants.

“Even though we have ever more powerful computing devices–computers we carry everywhere and are always connected–we delegate this power to clouds of computers controlled by a handful of large corporations. Instead of a powerful distributed network, where everyone has powerful computing devices in their homes, workplaces, and carried with them, our computers go underused, sitting idle most of the time, wasting their capabilities. As of writing this, my smartphone has the computing power of the world’s fastest supercomputer from 1992 (source: Top500.org).” [1]

[1] http://stevescott.ca/?p=824

keiner • June 10, 2015 10:25 AM

on the Economist website, as part of a debate on cloud computing.

should read

on the Economist website, as part of a debate on cloud computing.

…to end this cursive nightmare on this page….

JonKnowsNothing • June 10, 2015 10:30 AM

Any business that puts their “Assets” in “The Cloud” deserves exactly what they get…

Kaspersky got it today…

The Russian IT security firm Kaspersky Lab has discovered a new, powerful cyber weapon, apparently a successor to the notorious Duqu software. But this time the virus hunter itself is a target.

http://www.spiegel.de/international/world/israel-thought-to-be-behind-new-malware-found-by-kaspersky-a-1037960.html

And more of it is coming from Cloud Providers more than willing to take your Shekels to give you a few Magic Beans provided by The Big Bad Wolf.

They also want your Cake. And yours and yours and yours … pointing “To The Cloud”.

je • June 10, 2015 11:06 AM

Technical details bellow:
https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf

Basically, all these possible because communication with command&control servers and data exfiltration are possible.

Nobody cares about a design with data separated from firewall/routers. And of course, no OS producer knew about the 3-4 zero days used in such attacks…

David Leppik • June 10, 2015 11:09 AM

Interesting that Bruce is listed on the debate site as a “No” despite his ambivalence. My take is that it’s just as complicated as Bruce says, and probably twice as complicated.

One of the biggest threats is when companies decide to outsource their security to the cloud, thinking that they can fire their in-house security experts. Which is the corporate equivalent of getting rid of your house keys because you’ve got an alarm service.

Clive Robinson • June 10, 2015 11:21 AM

@ Bruce,

On the pro-cloud side, cloud providers have the potential to be far more secure than the corporations whose data they are holding.

I think you should better qualify that, because it’s a major issue even though it’s effectivly hidden.

As you note further down Google got hit quite hard by the NSA due to an assumption. Google quite sensibly use a wide geographic dispersion for parts of their cloud solution. These were connected together via significant data pipes, at the design time encrypting the pipes had significant cost implications. The mistake they made was assuming that “private network” ment what it said. Unfortunatly they did not think it through far enough, GWB gave retrospective immunity to Telco’s which should have been a big red flag that the US IC had been doing illegal things through the Telcos going back to atleast 9/11 if not much much longer. Thus “private network” nolonger ment what it said (something all CEO’s COO’s and CISO’s should take on board seriously).

But the problem is considerably worse than that, for years we’ve had the “five lines of code a day” mantra which is in part due to the “One in five lines has a bug” statistic. Whilst the actual numbers have changed to a certain extent there is no denying that production code is full of bugs, some of which can be used as attack vectors.

The bugs fall into two types of interest “classes” and specific “instances” both of which fall into the publicaly “known” or “unknow” catagories. Obviously you can only intentionaly defend against bugs / attack vectors if they fall into the “known” catagory.

The rate that usable attack vectors are being found is increasing with time and at a rate faster than they are getting fixed, thus even when known some attack vectors are not being addressed. Thus the relevent questions are, “Are these vectors being exploited?”, “And by whom?”.

Which brings up the game of probabilites or, “Is a patch going to get on the systems you use before data is exfiltrated?”. The answer to this is rather interesting and depends on the attackers motives and the visability of the systems you use.

I’m not going to go through all the stats others have and are in the process of that and writing it up as academic and white papers (in part for the “fame and glory” 😉

However from the sources I have available, the bottom line for the average organisation is, your data is less likely to get exfiltrated if you don’t use public cloud services, which is not what the service provider industry want’s to hear.

There are non average organisations that will get specifically targeted, if you are responsable for information security in one of those I feel sorry for you, you are going to get scr3w3d like it or not unless there is both compleate buy in from managment and the extensive resources needed. As neither is likely to be true it’s just a question of time before the inevitable happens.

Is there something you can do to protect your career? Well yes there is and it’s a game some senior managers and many politicos play. It works on the “jump ship” and “failure is others” principles. Put simply when you are sufficientlt senior you join a company with no intention of staying, you initiate a review that finds your predecessors systems to be inadiquate, you then implement a corrective project. Then at an oportune point before the project finishes you jump ship to a new company. If as is likely the project fails you can blaim those left behind for not following your plan etc, if the project is successful for a time you claim it as your success for putting in good foundations at interview ‘yardy yardy yack yack’.

The reality is that all such projects have a very limited shelf life due to “public unknowns” that are “known privately” to some, thus the success or failure of the project falls to how long before somebody decides to target the systems you use. On a major cloud service it’s a racing certainty it’s already happened by the likes of the IC irrespective of how good or bad their security people are. Thus you need to protect not just the systems but the data as well using various techniques that unfortunatly tend to be resource intensive for data not at rest.

RSaunders • June 10, 2015 11:44 AM

Eudora users with their own mail servers unite! (Is Hillary in the club?)

I think a distinction exists between what “most companies” ought to do and what “the most sensitive companies” ought to do. This distinction is all over the place in non-computer security. Most companies buy Schlage door locks and digital safe locks. These are high quality products with established supply and repair/support networks. Sensitive companies buy door locks from Medeco and safe locks from Kaba Mas. It’s not price driven, though the more secure products cost a little more, it’s driven by an understanding of the differentiating capabilities of the exotic products.

It we expect “most companies” to have IT staff at the “Bruce Schneier Level”, then the world is doomed. That’s not an achievable, much less affordable, approach. Most companies ought to face facts that they aren’t knowledgeable enough to take good care of their data against the broad spectrum of threats, and turn it over to Amazon or Google. That would concentrate expertise in those cloud providers, and leave enough expertise available that the few remaining companies with real data concerns could go fully spooky.

I think the biggest problem is the large number of companies that over-estimate their data’s significance and their IT department’s expertise. Those folks are the low hanging fruit for evildoers. Get them on a cloud and out of the food chain.

rgaff • June 10, 2015 1:08 PM

@ RSaunders

“Most companies ought to face facts that they aren’t knowledgeable enough to take good care of their data against the broad spectrum of threats, and turn it over to Amazon or Google.”

Spoken like a true NSA con man. “You all are too stupid to handle your own stuff, give it all to your government for safekeeping (and monitoring too, of course, to make sure you’re towing the line).” As long as the likes of Amazon and Google are in bed with them, this is a direct translation for what that really means.

Tom Bortels • June 10, 2015 5:05 PM

You have to be careful with statements like “cloud providers have the potential to be far more secure than the corporations whose data they are holding.” – it is true, but easy to read more into than it says. The security of the cloud provider, while important, is a small part of the puzzle. It is easy (trivially easy) to build poorly, even on the strongest of foundations. And – if my AWS instance is hacked – I really am not worried about AWS being hacked because of it, simply because they would happily sell time to the attackers on their very own instance for pennies an hour. My cloud provider being secure is necessary, but not sufficient, for my own security.

Having said that – cloud providers can provide a reasonable amount of assurance that the infrastructure below a certain level is well maintained; and I have worked many places where the folks in the private datacenter could not make the same claim. I was very favorably impressed by AWS in terms of “how likely is it a bad guy will come over and pull a drive out of my system and copy the data” – I have reasonable assurance that if someone does that, it would be AWS themselves (as a result of a court order, one hopes) – or an attacker who stole my credentials, which is my own fault. I cannot say the same of most other networks, simply because the physical precautions Amazon (and Google and perhaps Microsoft) can take are only effective at massive scales.

To put it another way – every private datacenter I have used has been vulnerable to a conspiracy of a handfull of the correct people taking it all – the inside job is really really hard to defend against. Short of getting my credentials – by virtual of isolation and policy and audit, I doubt very much a small conspiracy could do the same at a big cloud provider, because there are physical impediments (in AWS, for example, they hard partition people with physical access, and people with logical access. If you touch hardware – your software rights are “go get an account like anyone else”. At google, the hardware is often not even accessible until they take down the whole section, from what I am told…)

Nick P • June 10, 2015 5:39 PM

@ Bruce

Interesting essays. I agree with much of what they say, enjoyed reading it, and will focus on the few critiques.

“the economics… lower operating costs, the lack of capital expenditure, the ability to quickly scale and the ability to outsource maintenance are just some of the benefits.”

This might be true for poorly-managed IT shops. Every cloud offering I’ve looked that’s comparable to my own physical servers costs more than what I’d spend locally. The maintenance of server-side of many companies can leverage one administrator given the right (free) tools and choice of systems. Companies always have at least one admin so this isn’t an extra cost. The networking & desktops must be there anyway along with maintenance. So, the only benefits left are quick scaling (a real benefit), maybe lower costs in data transfer (leased lines), and lower capital expenditure. The latter is sometimes offset by clever IT people’s use of eBay and homebrew servers.

” Everyone does their power generation and water distribution “in the cloud.” Why should IT be any different?”

Because it’s worked fine without a cloud. Plus, the resiliency, control, and cost benefits of a decentralized scheme have been proven repeatedly. Cloud is too centralized in control, access, and sometimes geography.

“two reason”

I agree with most of what follows this. Good writeup.

” cloud providers have the potential to be far more secure than the corporations whose data they are holding. It is the same economies of scale. ”

This is sort of true. Yet, as I read it, I remember Brian Snow’s statement of the security problem: building a separation paradigm on machines built for pervasive sharing to reduce cost or increase performance. He pointed out that we’d need machines custom-made (i.e. clean slate) for enabling isolation or security. I originally missed the connection of that to the cloud: massive consolidation, virtualization, monoculturing, etc of resources to multiplex as many untrusted entities on as much trusted hardware as possible. Their principles are the same as those that lead to pervasive insecurity.

So, they do have the potential to do it better and have in some ways. On the flip side, their incentives and even their S.O.P. are the exact kinds of things that increase risk of major damage. There are a few exceptional providers, though, who are using diverse hardware as a competitive advantage. Someone could partner with such companies to create a dedicated service for security-critical computing with less critical running on regular infrastructure.

Regardless, from what I’ve seen, clean-slate stuff will require processors behind mainstream by many fold in performance and with significant cost due to limited volume. The cloud has potential to offset the cost by buying volume runs. Yet, their cost would still be several times the competition. That’s on top of guards, etc to use at networking or interface layer. See any secure cloud offerings that charge 5-20x what AWS does out of necessity? If not, then they probably aren’t leveraging secure hardware or even non-mainstream hardware.

@ Steve Scott

Seems we were thinking along similar lines. Systems such as Amoeba, CTOS, and grid computing squeezed out plenty of a group of machines’ potential. Designs such as Globus were superior to the web in many ways, esp efficiency & attack surface. Then P2P technologies showed up which negated the need for much centralized tech while spreading the workload (and sometimes trust) across many clients. I’m sure we could achieve many benefits of the cloud, maybe more, with a decentralized model that’s well-thought out. I’m also sure there’s benefits there that the centralized clouds can never provide.

@ JonKnowsNothing, je

I predicted that Microsoft sharing their source to U.S., Russian, and Chinese governments would result in many 0-days in nation-state malware. Although I can’t prove it was the reason, we did see more of those over time despite a general trend of less being found by black hats. If it helped, then the Government Security Program sharing source with more countries should surely lead to more attacks.

@ RSaunders

“I think a distinction exists between what “most companies” ought to do and what “the most sensitive companies” ought to do. This distinction is all over the place in non-computer security. ”

Good point about that. There are certainly companies that know their data is too sensitive to select IT products purely on cost. Marketing to them is very different than marketing to the majority that will sacrifice plenty for cost or features.

“It we expect “most companies” to have IT staff at the “Bruce Schneier Level”, then the world is doomed. ”

That isn’t necessary. They just have to hire pro’s to evaluate their security posture then act on their advice. Hiring and/or training application developers similarly helps, too. They can also use dedicated networks or PC’s for mission critical stuff. There’s also always paper, traditional projectors, or face-to-face conversations in the expensive building they bought. Many options to reduce risk.

“I think the biggest problem is the large number of companies that over-estimate their data’s significance and their IT department’s expertise. Those folks are the low hanging fruit for evildoers. Get them on a cloud and out of the food chain.”

They do but your response is wrong. The cloud systems can be hit just as easily. Further, most of the attacks are done with bad security of web applications. Putting those applications on a cloud doesn’t change the fact that they’ll be hit. Better to fix the problems in the business with solutions and services that serve their needs while eliminating their risk areas. That’s what the mainframe and managed security vendors have always done. We can do more of that while trying to drive the cost down with new innovation.

tyr • June 10, 2015 5:40 PM

I think Bruce has nicely summed up the whole cloud
mess. Everybody has a mad scheme that hasn’t been
clearly thought out. Are your eggs safer in someone
elses basket or are they safer in your own. Sales
departments will assure you that they can’t be as
safe in your own basket.

The average L(user) can get by with a netbook (dumb
terminal) but is that really the best corporate
business model to bet your company on ? Cost is a
consideration but betting your future to save a
few dollars this week seems far too risky even if
the marketing hype sounds too good to be true.

You should also notice that the big players are
all pushing the cloud as the answer but no small
players asked for it as a solution.

If you ever got burned by a faulty backup you’d
be as wary as the old comp guys about magic fixes
for all your problems.

Justin • June 10, 2015 6:20 PM

@ Nick P

Vendor lock-in is a big part of the business model of “the cloud”:

Gain control of a smaller or less sophisticated company’s core IT assets.
Make it difficult to transition away.
Charge a monthly fee, (which may increase with data storage.)
Upsell additional features.
Profit.

For cloud providers, it is apparently well worth all the wining and dining, hyping it up, putting out white papers, getting the press to write articles about it, getting consultants to sell it, managing public relations, and just about anything else under the sun to get one more paying customer.

Anytime somebody puts that much effort into selling something, you have to ask yourself, “How expensive is this really going to be for me or my company, and can I do it myself for less cost in the long run?”

mb • June 10, 2015 6:44 PM

On the pro-cloud side, cloud providers have the potential to be far more secure than the corporations whose data they are holding.

A dedicated provider’s network is more likely than not significantly better secured than the networks of many of their customers. But that is quite irrelevant with the question isn’t it?

I haven’t heard of any cloud providers that offer courier services by horse. Last time I checked you access them over the internet … from your crappy network. With a username, a password and sometimes a token. So yeah. Attacking Google and Microsoft probably is quite hard. But why on earth would anyone want to do that if he’s after YOUR DATA? That’s only necessary if you are after ALL OF IT or a random large bunch of it. If you are after a specific customer you target that customer. He’s got the keys.

Virtually no one attacks Twitter when they hijack accounts. They attack the owners of those accounts.

This is a typical case of chained security. And in that case the overall security you have is way on the side of the weakest link. And that’s your crappy corporate network.

The cloud provider only adds marginal security on top of that and you happily provide all of that when you access it from within your owned network. Usernames, passwords and even tokens generated by offline hardware. You have to enter all that at owned desktops.

If an attacker needs to remove all that on his own. Well. Good luck with that. But that is not the case. You don’t kick in a hardened vault. You steal the keys. Even if the provider would limit access by IP address…you are at that address. If you have an account there is nothing they can do about it. It’s part of their service to give you access to your data. And there is no way in hell you are going to protect that access with your crappy network and phased down IT.

Cloud providers can offer MUCH better services at data retention or service uptime and they can offer certain services in small volumes much cheaper. If that’s the reason it’s a good one. But they cannot be more secure than your network. If that’s your reason you better ask them about their horses.

GeorgeL • June 10, 2015 7:22 PM

It’s very interesting to see mixed views from so many experts who frequent, or not, this blog. This kind of reminds me of the e- or not to e- dilemma at the turn of the century. Resisting the future had proven to be futile.

Justin • June 10, 2015 8:12 PM

@ mb

“This is a typical case of chained security.”

You know what you’re talking about. Unfortunately not a lot of IT people understand this.

“Cloud providers can offer MUCH better services at data retention or service uptime …”

They’re great for backup. For service uptime, I agree if you’re providing some service to the public, but then there’s the case where you just want access to your own data even if your internet service is down.

“… and they can offer certain services in small volumes much cheaper. If that’s the reason it’s a good one.”

Yes, … BUT that’s not the profit point for the cloud provider. They only start to make a profit when you inevitably accumulate more data and/or grow your business, at which point your needs become more sophisticated, your data is locked in to a limited service model, and you realize you now need those “extra” features that are upsold, and you have to pay for them.

@ GeorgeL

“Resisting the future had proven to be futile.”

Perhaps in your starry eyes you confuse “the future” with “the cloud.” As far as courier services by horse are concerned, I am certain they find some use in such areas as the Islamic State where there are elevated data security concerns. In other parts of the world, I assure you, horse races are still big events.

Nick P • June 10, 2015 8:14 PM

@ Justin

“Vendor lock-in is a big part of the business model of “the cloud”:”

I would guess so but I don’t stay current on cloud to assess all your points. The one thing I remember from initial research that supports your post was incoming vs outgoing data. The incoming data, IIRC, was free while they charged for the outgoing data. This seems like a good deal if you have GB’s or TB’s of data going in during a transition to the cloud. You use it for a while, producing even more data. A few years to a decade in and I wonder what it costs to get out of that cloud? Sounds like lock-in to me in a much more obvious way ($’s to leave) than prior attempts (eg obscure formats).

“Anytime somebody puts that much effort into selling something, you have to ask yourself, “How expensive is this really going to be for me or my company, and can I do it myself for less cost in the long run?””

I totally agree. Further, I’ve been working on business model concepts for IT companies that would solve a lot of this. It’s all about structuring the incentives to ensure certain quality of software and service with no sneaky stuff. Charter, contracts, location, choice of software/hardware, and so on factor in. Still working on specifics as I have so many permutations. Thing is, most Fortune 500 companies would never sign a clear guarantees that they’d never do anything you worry about along with strong transparency that this is the case.

If they did, it would be “subject to change at any time without notice” along with one hell of an indemnification clause. 😉

@ All
(esp Bruce)

Let’s also remember that we have two major drives delivering cloud-like functions: local and remote cloud. The remote is what Bruce is discussing. Yet, we’ve seen equal innovation and cost-reduction in companies like Google and Facebook that innovated considerably in infrastructure to support their own operations. The metrics they delivered smashed what hosting and mainframe companies were offering in a number of ways. You could even say, unless I’m misremembering, that they inspired the major cloud services such as Amazon to develop similar infrastructures that they re-sold.

So, there’s actually two movements in infrastructure going in parallel with plenty of overlap. They’re both improving at an incredible rate. They’re both doing a mix of sharing technology and keeping best stuff secret for competitive advantage. There’s even a whole hardware industry for them, from custom networking to CPU’s, that do everything better than vanilla hardware, software, and Internet protocols. Much of this is available to enterprises in general, companies like Rackable help with datacenter design, some companies ship pre-built datacenters in containers, and there’s more IT pro’s learning the software stacks they use all the time.

So, even if cloud is inevitable, the centralized and external clouds being only option aren’t necessarily inevitable. We can collectively vote with our wallet to push them to make private clouds cheaper and easier to run. I doubt we’ll hit all the metrics of a provider such as Amazon. Yet, a company could achieve most of the important results with a reasonable budget, a smaller amount of staff, and all data in its control. Additionally, this allows for integrating best of breed solutions requiring onsite software or even hardware (i.e. accelerators). I would think the above is quite a compelling business argument for many firms worried about public clouds but wanting better IT capabilities.

Nick P • June 10, 2015 8:53 PM

@ mb

BOOM! Excellent post. Bruce seems to have missed this entirely or forgot about it. I’m so used to assuming it that I forgot about it in this discussion. It really is the end-all argument against cloud security claims given the trusted part of that arrangement is the one without cloud-level security. The ways to deal with it, which I’ve enumerated on this blog, aren’t present in any solution I’ve seen. They also require the same changes to endpoints, networks, and OPSEC that a non-cloud solution relies one albeit with less hardware.

Translation: strong security with cloud isn’t happening until customer’s have strong security in general plus at the cloud. Back to square one for the outsourcing fans.

Nate • June 10, 2015 8:54 PM

“But a national intelligence agency will prefer the one-stop shop a cloud provider affords. That is why the NSA broke into Google’s data centers.”

Yes, obviously – but I would go one step further than that.

Why in the world would or should you trust the cloud provider itself not to abuse the absolutely unlimited access they have to your data? You’ve just handed them the entirety of the software and data component of your business. All your corporate secrets. All your email. All your files.

But it’s encrypted, you say? Nope. If you run ANY cloud compute nodes that access that data, you’ve also handed them the private keys. If you run domain-linked compute nodes, you’ve handed them your domain credentials.

You’ve compromised EVERYTHING about your business to this one huge megacompany who also have millions of other customers. There are NO controls you or any of these other companies now have over this access they now hold.

And – if your business involves anything at all to do with information – your cloud provider is almost certainly in direct competition with you in a number of industries. With every incentive to abuse the secrets they know.

That’s ALREADY as bad as it gets. Why do you need ‘a national intelligence agency’ or any other third or fourth party to further hack this huge security threat in order for you to be concerned about security?

Clive Robinson • June 11, 2015 2:18 AM

@ Bruce, mb, Nick P,

Bruce seems to have missed this entirely or forgot about it.

Not just that, there is also the perverse interests and costs of managment and insurance.

As I noted above access to your data is just a question of when not if, as the cost of stoping it is to high currently (or in the foreseeable future due to various actors interests).

Thus if as a manager you accept this you would look to mitigate the effects of a data breach. The two things you are looking to mitigate are direct financial cost and reputational cost.

For the financial cost the traditional model is “insurance” and the traditional model for reputational cost is “blaim someone else” usually some one with more reputation to lose or who cannot defend themselves.

As Bruce has pointed out in the past such costs can be subcontracted out, banks do it to customers ans merchants with poor CC systems and the likes of EVM are past masters at spin and obsfication.

Currently to the insurance industry cloud computing offers some perceived benifits thus if an organisation uses external cloud they can by shopping around get lower insurance.

From the reputational point of view having your customers details etc stolen from a major cloud provider alows you to spin the reputational issue to your advantage.

Thus the immediate financial cost and reputational cost get pushed out in time via dull legal claims and court cases that will take years to resolve by which time any sensible senior manager will have pulled the rip cord on their golden parachute and landed in a new company, by being able to claim success even though it will turn out to be a fail in a year or two.

GeorgeL • June 11, 2015 6:08 AM

@ Justin

“Perhaps in your starry eyes you confuse “the future” with “the cloud.””

Not exactly. These are Bruce’s words, by which we stay in context. I’ll leave them right here.

Cloud computing is the future of computing; we need to ensure that it is secure and reliable.
Cloud computing is the future of computing. Specialization and outsourcing make society more efficient and scalable, and computing isn’t any different.

“As far as courier services by horse are concerned, I am certain they find some use in such areas as the Islamic State where there are elevated data security concerns. In other parts of the world, I assure you, horse races are still big events. ”

You must have confused me with someone else, but yeah I like horses races too.

“Vendor lock-in is a big part of the business model of “the cloud”:”

It’s definitely a good business model, but I have doubts about how it can be enforced upon its users. With the exception of asymmetric incoming vs outgoing data chages, which obviously suck, what else do you think is drawing the buck?

BoppingAround • June 11, 2015 9:36 AM

” Everyone does their power generation and water distribution “in the cloud.”

What, there are no water wells in US? No premises having generators to keep them running should the grid fail?

Just remind yourself the Amish.

Regarding water your argument still stands. I would amend it a little, ‘from the cloud’ 🙂

Justin • June 11, 2015 2:34 PM

@ GeorgeL

Sorry for the confusion. Mostly I was just kidding.

But regarding vendor lock-in:

Take, say, Microsoft CRM as an example. You have CRM records, stored in a database in a certain format with lots and lots of fields. These can be downloaded in a fairly readable format. Then you have files associated associated with each customer, and you need Microsoft Visual Basic (or Visual C++, I forget) to access these programmatically.

Say you want to move to their competitor, Salesforce. You need to find tools to convert the data, write one yourself, or do a lot of manual labor. Then your employees would need training in the new software.

Can you do CRM yourself? Maintain your own database of customers and their data and your interactions with them? Sure. There are even full-fledged open-source CRM offerings that you can host yourself if you want to. Is this still “the cloud”?

I’m just talking about CRM as an example because it is a relatively mature, competitive “cloud” offering. A lot of the vendor lock-in is simply that people just get used to a particular system, and they don’t want to change. Like with Microsoft Office.

If your business needs some IT service, you have a choice of hosting it yourself or paying someone to host it for you. Are you going buy a washer and dryer and wash your clothes yourself at home or are you going to bring a roll of quarters to the laundromat every week? In some cases it makes sense, but at some point it’s a lot cheaper to buy your own 1TB hard drive than pay $10/GB/month for cloud storage. “The cloud” has to buy its hard drives, do backups, pay for all the back-and-forth bandwidth on its end, pay for all the marketing and sales and hype it generates, and still turn a profit.

I’m sorry, but “the cloud” is a hyped-up business model, not a technology. I’m sure it’s successful and it makes money and it provides convenient services in some cases, but it’s just way too much hype for me.

Nick P • June 11, 2015 4:14 PM

@ Justin

“I’m sorry, but “the cloud” is a hyped-up business model, not a technology. ”

It’s mostly hype but did bring specific technology: mainframe model with COTS parts and prices. The “cloud” technologies let you create machines out of thin air; configure their properties; rent CPU time, memory or storage; scale to high load easily; increase reliability; reduce administrative overhead. These are all things mainframe users were used to. The cloud delivered the equivalent with COTS servers, popular software stacks, modern interfaces, and low barrier to entry if not better prices.

So, there is a technological difference between how cloud companies do things and the ones that came before them. The technology definitely has advantages over traditional, mass-market server architectures. It’s still cheaper than IBM mainframes and maybe Fujitsu/Bull. Its feature set is also rapidly innovating. So, there is a real cloud technology even if there’s 100x more hype and they knocked off mainframes.

Note: Just merely having a mainframe replacement that I can afford and won’t be sued by IBM over is a competitive offering in itself. Remember what happened to the company pushing Hercules commercially for running legacy software cheaper?

GeorgeL • June 11, 2015 4:50 PM

@ Justin

“Take, say, Microsoft CRM as an example. You have CRM records, stored in a database in a certain format with lots and lots of fields. These can be downloaded in a fairly readable format. Then you have files associated associated with each customer, and you need Microsoft Visual Basic (or Visual C++, I forget) to access these programmatically.”

The cloud is just an extention to what you described. Vendor lock-in exists in all aspects of computing, and life, with some forms of value-add. That’s why governments must work very hard to enforce anti-trust measures. For example, our personal computers were at risk of being locked-in to a specific OS at one point, but anti-trust prevailed somewhat, so we have a few more choices. The thing I want to get at is this issue, IMHO, comes down to business decisions and government regulations. When these two factors are at play, the technical views of pros and cons are often overlooked.

rgaff • June 12, 2015 12:11 PM

@ mb wrote:

I haven’t heard of any cloud providers that offer courier services by horse. Last time I checked you access them over the internet … from your crappy network. With a username, a password and sometimes a token.

[cloud services] cannot be more secure than your network. If that’s your reason [for using them] you better ask them about their horses.

@ Justin wrote:

As far as courier services by horse are concerned, I am certain they find some use in such areas as the Islamic State where there are elevated data security concerns.

And finally I’ll comment about this horse theme:

The original implication by @mb is that the only way to be secure is to hand deliver all your data, and equating it with horses makes it sound funny and old fashioned.

Then @Justin takes it a step further and essentially implies that only terrorists need to be secure, the rest of us don’t need it!

Hold on folks… NO NO NO….. ALL OF US NEED SECURITY!!! If you stupidly think you don’t need security and privacy, please publicly post on this very blog your real name, address, phone number, credit card numbers, expiration dates, cvv numbers, bank account numbers, social security number, mother’s maiden name, all your usernames and passwords for everything and what they belong to, your complete medical history, any skeletons in your family closet and everything else you might not want everyone to know…. No? aww… whassa matta? You a TERRORIST??? You gonna kill all my children???

Stupid idiots, we all need security and privacy for basic society and commerce! It’s not old fashioned, nor is it only for terrorists! It is essential for life in every modern society.

Alon • June 27, 2015 12:21 PM

NSA never broke into Google’s data centers.

- • July 19, 2023 5:38 AM

@Moderator:

1, Emma Swift

Is,

Unsolicited Advertising.

Schneier on Security

Comments

Leave a comment Cancel reply