Will cloud security ever be sufficient?

Will cloud security ever be sufficient?

Summary: What will make the Cloud an acceptable location for business? It's your turn to sound off and offer some solutions for Cloud security.

TOPICS: Security, Servers

I get a lot of feedback when I mention the Cloud and cloud-based services. A lot of negative feedback. Many readers, like yourself, explain to me with sound and fury about how the Cloud isn't secure and that it is an easy target that's just waiting to be hacked--or perhaps even waving a red cloak in front of black hat hackers. The Cloud beckons all criminal hackers to come a-runnin' with all tools in hand ready for easy pickings.

If that's really the way you feel about the Cloud, then tell me (and the rest of us), how the Cloud can be made secure?

Will it require one or more of the following?

  • Two-factor authentication
  • A proprietary secure channel
  • A new Cloud-specific protocol
  • A new extreme encryption level
  • An acceptable level of risk

I want you to consider each of the options I've given and tell me what you think. You can also respond with ideas of your own, if you feel that any of those won't work.
Allow me to consider the five options from my perspective.

  1. Two-factor authentication - This would be an expensive option although very secure. This method would require each Cloud user to have a secure token or gadget that randomly produces a key code that allows connectivity to their Cloud infrastructure. It would also require that the user connect to Cloud systems with a user name and password.
  2. A proprietary secure channel - This method would require that the Cloud provider distribute a piece of client software to each customer with a specific connection code, kind of like a license key. The key would validate the client software, customer location and a username/password combination to secure the channel.
  3. A Cloud-specific protocol - A new protocol could take years to implement but it could work. For example, it could link two sites together for Cloud use with some sort of end-to-end verification so that no man-in-the-middle attacks or spoofing could occur. This new protocol could also require new client and server software but at least this time, programmers could get it right by having the time to create a truly secure communications link.
  4. A new extreme encryption level - Most encryption levels can be hacked with some effort but if a new super encryption level were to be created, it would prove virtually unbreakable at least with currently available computing power.
  5. An acceptable level of risk - This seems to be the least popular, although the most likely, scenario. Vendors will do what they can, within reason, to secure systems and communications. The problem with the other four options is expense. With competition constantly driving prices downward, vendors have to make a 'best effort' and rely on best practices to provide as much security as is reasonable for the price. That means accepting a certain level of risk.

I'm in favor of a secure Cloud. No one wants to have their data stolen. But, no one wants to pay for the extreme security required for a non-confrontational view of the Cloud. I think that we have to strike a balance between price and security for the Cloud to become a reasonable place in which to do business.

The question is, "How much risk are you willing to accept?"

Write back and let's discuss the options that you think will make the Cloud an acceptable place for business and data.

Topics: Security, Servers


Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Will cloud security ever be sufficient?

  • RE: Will cloud security ever be sufficient?

    For a lot of firms the cloud will never be secure enough. It will be especially interesting as the laws for more secure client data run into the push for the cloud.
    • RE: Will cloud security ever be sufficient?


      Any ideas on what you think will make the Cloud sufficiently secure for use?
  • The problem is attack surface

    No matter how "secure" you try to make the cloud there is one insurmountable issue that doesn't exist for private (ie non-internet accessible) systems: global accessibility.

    This is the Achilles heel of cloud. To parphrase, it's not a bug, it's a feature. Only this "feature" will forever raise the security bar to an impossible level.

    Two factor ID, super-encryption, nothing will protect against a hacker that's already inside the user's PC. MITM attacks may be difficult, but *nothing* renders them impossible--since the "in the middle" part can mean "between the user's keyboard and the LAN card"...

    Given that companies want cheap, the logical thing would be hosting companies--but that makes the problem even worse should the computer that's compromised be the server!

    No matter what you do cloud will *by design* less secure. All because the attack surface is measured in *billions* of potential points of attack.

    Cloud is worse than Windows 95 for that reason.
    • RE: Will cloud security ever be sufficient?

      @wolf_z Couldn't agree with you more. We actually wrote a white paper about cloud based storage threat models. Pretty much right in line with what you said.


      As far as for the factors outlined above. We pretty much cover them all to some degree.

  • We have all of this. We just need to use it!

    "If that???s really the way you feel about the Cloud, then tell me (and the rest of us), how the Cloud can be made secure?"

    -The cloud is a nice tool, but not a panacea. Be realistic about the cloud's advantages and disadvantages. Don't be ignorant of its disadvantages.

    -Isolation when needed. As much as it seems to be against the cloud philosophy, it's the only way to keep the most sensitive types of data secure. If you're in charge of military secrets (or something of equally high value), none of the computers you use to store them should have any connection to the internet.

    -Encryption and digital signatures have to be a vital part of any future computing infrastructure. Period, case closed. No more excuses for unencrypted and unsigned data.

    "Allow me to consider the five options from my perspective."

    #1: Two factor authentication is no longer expensive! You can now get phone apps that provide it, or cheap plastic devices. I have two security tokens from PayPal and the Blizzard authenticator. All of them are very cheap.

    #2 and #3 we already have: It's called TLS. Every browser in the world has it.

    #4 we also already have: The top of the line crypto we have today has not been found to be susceptible to attacks. 99% of attacks come from things like poor implementations, poor passwords, and refusing to give up older types of crypto. [b]WE HAVE GOOD CRYPTOGRAPHY AVAILABLE.[/b] We just aren't always using it, or aren't implementing it properly.

    I don't know where you're getting the idea that our current crypto can be hacked "with some effort." That's nonsense. If you take a look at what's been done, it's mostly been about bad or buggy implementations, which is not the fault of the crypto algorithm itself. The currently accepted methods of cryptography are not hackable "with some effort" if implemented properly.
    • RE: Will cloud security ever be sufficient?

      @CobraA1 Couldn't agree with you more about the crypto. We believe the exact same thing.

      We do already have all these things, to some degree, and when used together we think that it makes for about as secure a cloud product as you can get. This might be the kind of implementation that you were talking about.

  • An open-ended question

    Given that there are public and private clouds (as well as hybrid clouds).<br><br>Given that 'security' for some individuals can also include redundancy, privacy and control. Is the data backed up or otherwise protected from loss arising from various disasters (i.e., disaster recovery)? Regarding privacy, are employees of the Cloud provider able to peek, noticed or unnoticed, into customer data? Regarding control, who owns the data (i.e., Facebook, Google+)? Who is responsible for providing access to the data, applications, platforms, etc.? As an example, consider identity management. Can it be managed by Cloud customers IT departments? Like they do with on-site SAP deployments, as an example?<br><br>Given that some individuals and organizations are more diligent with their systems security than others. There's lots of break-ins of personal PCs and enterprise systems already, independent of the Cloud.<br><br>I also think that standards are an important issue (I'm thinking of HIPAA and SOX, among other things). Once standards exist, one can measure Cloud providers against them and tweak them as needed. There will likely be multiple levels of standards, each level dependent on the nature of the data, applications, platforms, etc. managed in a particular Cloud instance.<br><br>Based on the number of break-ins, I believe that Cloud security is already sufficient for many users and enterprises. And that it will continue to improve.

    One final thing. The absence of air gaps should be a big plus for the Cloud.
    Rabid Howler Monkey
    • RE: Will cloud security ever be sufficient?

      @Rabid Howler Monkey

      Well said. I'd add as well if the government comes kocking with (or without) a warrant is the cloud provider going to roll over and give up your data or will they fight tooth and nail to protect your company's information. Collarary is I think European companies are especially nervous of U.S. cloud providers for this reason.
      • RE: Will cloud security ever be sufficient?

        @MajorlyCool This is a concern that is overlooked by many people. We built a product that is zero-knowledge and the can't turn over info even if it wanted to. It's really the only way that you're going to get people to trust in the cloud.


    • RE: Will cloud security ever be sufficient?

      @Rabid Howler Monkey
      One problem that remains is the law. It needs to catch up. This is one of the biggest problems facing us (non-Americans).

      The Patriot Act tramples all over the legal requirements of companies outside of the USA and basically leaves them, specially Europeans, without many options - we cannot use a cloud provider that has offices in the USA and is subject to the Patriot Act.

      The cloud provider will hand over data to the US government upon request, without informing the data owner or obtaining the proper authorisation (personal data held by EU companies cannot be handed to third parties outside the Eurozone without the express permission of the individual(s)). The problem is, the US government gets their data, the cloud provider complies with the Patriot act and the poor idot who thought the cloud was a good idea of a data owner gets sued by his local government and the affected individuals for letting the data be shown to a third party without permission!
      • RE: Will cloud security ever be sufficient?

        @wright_is wrote:
        "we cannot use a cloud provider that has offices in the USA and is subject to the Patriot Act.

        This would appear to present a great business opportunity for Cloud providers wishing to serve the rest of the world outside the U.S. (and its territories). All one has to do is eschew the U.S. (and its territories).

        P.S. The Patriot Act is a disaster for Americans too.
        Rabid Howler Monkey
  • RE: Will cloud security ever be sufficient?

    There is only one problem with cloud computing and CobraA1 said it,
    "WE HAVE GOOD CRYPTOGRAPHY AVAILABLE. We just aren't always using it, or aren't implementing it properly."
    It goes with, "We have good security protocols, if everybody used them." Antispyware, Antimalware, Antiviruses, Firewalls. Even Windows could be made secure. How may people have a firewall on the smartphone, when was the last time you ran an antispyware program on your work computer or the computer you took to work today?? The problem isn't having security. The problem is, people aren't using it until the have a problem. Even then, once the problem is gone, they go back to their old unsecure ways. Then they take these habits to work and infect the companies system.
    the one and only way to secure cloud computing is for people to be secure when using it. Not some people but everybody using it. It only takes one person to leave the door open.
    • P.I.E.

      @racoffey We don't just need crypto, we need PIE (Pre-Internet Encryption). Because of things like the Patriot Act (see my comment above to Rabid Howler Monkey), for companies outside the USA especially, the data needs to be encrypted before it gets anywhere near the cloud.
    • RE: Will cloud security ever be sufficient?

      @racoffey Couldn't agree with you more.

  • RE: Will cloud security ever be sufficient?

    My thing is that no matter what "technology" you use to secure it someone WILL break into the cloud. I think I would feel more secure having full control of everything within my network than handing personal and sensitive files to another company and HOPE that they do everything they need to to secure my files. Because you know when stuff goes missing, Company X that was handleing my "cloud files" will just throw thier hands in the air and say "We are very sorry for your lose and are working to find out what happened." Meanwhile, I'm back at my office sweating bullets while the company loses 10k dollars a min.
  • The solutions no one talks about

    Client-side encryption and zero-knowledge applications.
    • RE: Will cloud security ever be sufficient?

      @jsp722 I'll +1 that. P.I.E. is the answer.
  • RE: Will cloud security ever be sufficient?

    Your article seems to assume that it's a given that the Cloud is a fine idea. All that's necessary is to overcome "sales resistance" among the naturally skeptical business community. I don't agree. Even if a cloud provider's servers were practically immune from outside attack, many cases of data theft I've heard of are inside jobs. You're putting your data and business secrets in the hands of distant technicians whose trustworthiness is a complete unknown.
  • RE: Will cloud security ever be sufficient?

    Moving to the cloud can be a scary experience for some companies. While doing so can improve efficiencies, cost saving and competitive advantage, it can also bring new challenges and security risks. Along with the security recommendations you???ve made, I would also like to add Secure Socket Layer (SSL) certificates to the list. By requiring cloud providers to use SSL encryption, data can securely move between servers or between servers and browsers. At Symantec, we are aware that not all SSL or Certificate Authorities (CA) are created equal. We feel it is important for organizations to choose their CA carefully to ensure they have thorough and effective authentication processes in place. Companies should also consider extended validation SSL (EV SSL), which undergoes the strictest vetting standards on the Internet.

    Michael Lin