Spare me your cloud security diatribes
If I read one more article about what MIT Technology Review in its January lead story is calling "the security problem inherent in the size and structure of clouds," then I swear I am going to burst a blood vessel. This article is a classic of the genre, beginning with an absurd screed about "computer security researchers" who "posited ... kinds of attacks" that "might ... work in clouds when different virtual machines run on the same server." A second team tried this out on Amazon and "succeeded in placing malicious virtual machines on the same servers as targets 40 percent of the time, all for a few dollars." They didn't actually steal any data, mind you. But the writer seems to believe we should all be very scared, because "the researchers said that such theft was theoretically possible." Oh my goodness, how awful!
From this malevolently auspicious beginning, the writer then goes on to catalog the usual tirade of Reasons Why The Cloud Cannot Be Trusted. These include such revelations as the finding that "cloud services ... are not without risk" and that "any breakdowns or hacks could prove devastating to many." You don't say?
I'm wondering when researchers at MIT are going to turn their attentions to the security problems inherent in the size and structure of buildings and cities?
It's not widely known that, by studying architectural blueprints and familiarizing themselves with routine security processes typically followed by businesses, hackers could break into your offices and access highly sensitive data. Indeed, say researchers, it's theoretically possible to download the entire contents of a corporate database onto a solid-state drive so small that it can be smuggled out of the building concealed in a back pocket. Yet most businesses remain blissfully unaware — some would say, wilfully negligent — of the ease with which their on-premise data can be compromised.
Meanwhile, there have been many examples of entire cities losing all access to computing functions after extended power blackouts because of a shared dependency on a single utility grid. Only a small proportion of businesses protect themselves against a total loss of computing capability by turning to cloud providers whose multi-geography infrastructures aren't dependent on a single power supplier.
But we don't read that. Instead, we have an article which is little more than a diatribe against the notion of relying on an expert provider to operate computing on your behalf. Except, that is, for a revealing passage halfway through, in which the author cites the case of an unnamed bank that, distrusting the cloud, has instead co-located its servers at "a nondescript data center in Somerville, MA ... owned by a small company called 2N+1, which offers companies chilled floor space, security, electricity, and connectivity." Unaware of the implicit irony, the writer concludes that the bank "chose to keep its own servers rather than hire a cloud. And for security, the bank chose the tangible kind: a steel fence." Yes, because of course, cloud providers, as the name suggests, protect their facilities with dry ice and cotton wool, don't they?
At least there's some consolation in the closing paragraph of the article, which contains a lesson from history that may yet give cloud doubters pause for thought (my emphasis added):
"The advent of radio posed similar issues a century ago, says Whitfield Diffie, one of the pioneers of public-key cryptography, who is now a visiting professor at Royal Holloway College at the University of London. Radio was so much more flexible and powerful than what it replaced — the telegraph — that you had to adopt it to survive in business or war. The catch was that radio can be picked up by anyone. In radio's case, fast, automated encryption and decryption technologies replaced slow human encoders, making it secure enough to realize its promise. Clouds will experience a similar evolution."