A BT study covering 11 countries reveals that more than three-quarters of IT decision makers are "extremely anxious" about security using cloud-based services -- yet 79 percent of U.S. enterprise execs (70 percent globally) are adopting cloud storage and web applications within their business.
BT says this trust drop (82 percent in the US, 76 percent globally) is "a substantial increase of 10 percent globally from previous research in 2012."
With recent news of serious cloud security breaches, such as the Xen bug forcing Amazon to reboot its EC2 instances, and Xen making Rackspace do the same this weekend, plus consumer fears fanned by the "celebrity nudes iCloud hack" -- it's no wonder IT is losing its faith.
But with cloud security trust as rock bottom, is enterprise IT nuts for putting its data security into cloud and SaaS?
ZDNet asked Joyce which known issues in cloud security are still unaddressed and he said, "I cannot list them all."
OpenStack's focus on peer review of code has identified a great many problems and risks including those promoted potentially by state actors.
We are a project utilized by both the NSA and the People’s Liberation Army along with groups like vietnamese dissidents and CERN.
Talking to Joyce makes the disconnect between trust and adoption feel more acute. Even though their confidence around cloud security is at an all-time low, 69 percent of large U.S. organizations (50 percent globally) are still opting for mass market "consumer" cloud services -- rather than those intended for enterprise.
"With issues such as Shellshock, the ability to change and adapt to this sort of shift in the landscape is mired in the chains of technical debt."
report explores the rift, saying that around half of the respondents see enterprise cloud applications and services as "too expensive" and believe that mass market public cloud apps and services are just as good as those for enterprise users.
Joyce explained why this is happening. "Cloud promotes the sharing of resources at a very large scale." He said, "This is where it is most economically viable. And that makes its utility in an environment requiring trust relationships limited in scope."
And trust is where cloud is failing the hardest. Joyce opined, "I am a firm believer that trust relationships do not scale. You must segment into shared trusts if you intend to maintain a trust relationship regarding the distribution of information and resources."
Now, sharing resources means sharing risk. No matter what, we all face risk, and that means we take a chance on paying a terrible price.
Sharing the costs along with the risk is quite often a prudent and responsible act. There's a reason companies seek to insure themselves. For many a cloud environments shared risk is a step up because the infrastructure is no longer a cost center. And at least some risk is a shared burden.
BT's research attempted to nail down the places trust is failing cloud the most. The report stated,
For more than half (54 percent in U.S. and globally) of IT decision makers, trusting a third party is also a concern.
In the US, 40 percent (41 percent globally) of respondents have the impression that all cloud services are inherently insecure and 22 percent (26 percent globally) of those surveyed said that they had experienced a data breach incident where their cloud service provider was the party at fault.
Cloud's paradox of risk and reward
Joyce explained, "From an OpenStack perspective our first real issue was trying to get on top of identifying risks and addressing them as best we could, and frankly in the early years we simply didn't have the resources to do it."
He explained that with adoption, that "has changed dramatically."
Joyce said, "We now have a number of highly capable folks contributing to the growth of a community of researchers and professionals that support the cause of security in the OpenStack project (through the OpenStack Security Group and the OpenStack Vulnerability Management Team)."
The biggest fear in cloud security is in IaaS, where Joyce said "the big fear is hypervisor escapes. There is no guaranteed way to address this risk today." He said:
Due to the homogeniety of cloud infrastructure (thousands of the same exact device with the same software), one vulnerability that affects it will affect all of it. You could conceivably hit and compromise thousands of nodes with the same exploit and then use that to hit all of the varied array of difference virtual machines from the hypervisor host. And people have been turning to TPM and other technologies to try to address this.
Building on that the trust model in UNIX/Linux assumes that root can be used to protect shared secrets. If you want to store service credentials in a host but do not trust the users you can make that information available only to root and allow access to it as a daemon or service with a defined scope.
Since every user in an IaaS environment is root in their environment that trust model is broken. In and of itself this is not terrible, except that it's a paradigm shift from the way UNIX and Linux has operated for 40 years.
Echoing current sentiment pervasive in today's infosec discussion circles, Joyce added wisely, "As with issues such as Shellshock, the ability to change and adapt to this sort of shift in the landscape is mired in the chains of technical debt."
Joyce said that at heart, cloud must be a constant -- and by necessity, productive -- conversation about risk. "Ultimately, Cloud has a different exposure to risk than traditional shared services. But, as with any risk, you need to be able to assess for yourself if the risk to benefit ratio is in your best interest." He added, "Going into a deep dive on risk and exposure of cloud environments could literally fill a very large book."
The best thing IT can do, Joyce told ZDNet, is to refine risk analysis for each unique situation, specifically "evaluation of risk from a C-level perspective especially geared to infosec concerns."
Joyce strongly recommends information gleaned from the presentations of researcher Dan Geer will help IT folks frame their concerns in terms their managers can understand and respond effectively to, and that means doing their jobs better."
- See also: Dan Geer's Measuring Security (.PDF link)
This, Joyce told ZDNet, can "help C level execs understand that information security isn't boogie men, or the magic of Hollywood, but just another risk they can quantify and address as is their stock in trade."