Cloud security: Reports slam data protection, national Internets, access myths

Leviathan Security today released three whitepaper reports on the value of cloud computing: Whether it's more or less secure than local storage, if data can be kept available and confidential, and whether companies can adequately hire to secure their data.

In three whitepapers commissioned by Google and created by Leviathan Security Group, Inc. -- covering enterprise cloud issues of Availability, Scarcity, Vulnerability -- the security firm found more than a few surprises, in addition to at least one grim truth.

To put it lightly, these whitepapers are high value documents for all organizations that traffic with data storage security,and their decision-makers, administrators, and infosec personnel. Each report is refreshingly concise, well-written and packed with answers.

Special Feature

Security and Privacy: New Challenges

As big data, the IoT, and social media spread their wings, they bring new challenges to information security and user privacy.

Read now

Leviathan's conclusions, especially around global data availability concerns, are powerful and hint at a dark future if policymakers don't wake up soon.

"The world has become better at keeping data secure and safe by distributing it to multiple continents," explained Leviathan CEO Frank Heidt. "However," he cautioned that "some leaders are calling for "national Internets" -- censored, walled gardens set up to appease special interest groups that range from political factions, to property cartels, to religious police."

"Other leaders have taken a different tack, called forced localization; rather than blocking your communications, they want to require that all your data (and all the computers that handle it) be inside a single country: theirs, for whichever country they represent." Commenting on the Availability report, Heidt warned that "These would be major changes to the structure of the Internet -- changes that would harm both businesses and the general public."

Localization: "misguided"

Heidt said that based on Leviathan's research, data localization "is misguided." He explained, "Some will say that keeping things in a single country is the only way to prevent international spies from reading our data, since we now know that certain countries have a bad habit of not minding their own business on the Internet."

The lawless are not deterred by new laws; keeping data within a border won't stop those who believe that rules don't apply to them, even though it will curtail the ability of law-abiding people to keep their data safe.

The way to protect secrets from prying eyes is through software that is both secure and easy to use, with projects like Peerio, RedPhone, SpiderOak, and Silent Circle making powerful security available to the general public.

Both Availability and Vulnerability contain revelations for enterprise orgs looking for straight answers about local vs. cloud access, and arguments around securing data in the cloud.

Special Feature

Why business leaders must be security leaders

Why do many boards leave IT security primarily to security technicians, and why can’t techies convince their boards to spend scarce cash on protecting stakeholder information? We offer guidance on how to close the IT security governance gap.

Read now

"When utilized properly," the report said that "cloud storage gives companies the ability to use resources in different geographic regions to ensure high availability even in the face of local/area/regional incidents."

Achieving this, however, requires taking advantage of geographical redundancy -- ensuring that data is replicated not just across a city, but across a continent or an ocean. Many companies treat cloud providers like colocation facilities, storing all their data in a single region of a single cloud provider and relying on that facility to provide continuous access.

This produces predictable results: this paper has discussed many situations where single-datacenter storage, despite "cloud" branding, caused substantial failures in availability.

The Availability report dives into the availability of data stored in data centers and the cloud in the face of disasters and other large-scale events, such as national censorship and wars.

To get a wide range of possibilities in its availability analysis, Leviathan examined three major points of presence, from cloud vendors Rackspace Inc. (Dulles, VA), Linode, LLC (Fremont, CA) and Amazon Web Services US-West-2 (Oregon).

Surprisingly, Availability showed that using a local datacenter provides no lower latency than using a cloud datacenter, "even one across the country." Using itself as a test subject, the firm found:

From each Leviathan location, each of the major cloud platforms was just a few hops away, whether the facility was in the same area or not; this is likely due to the major cloud platforms' systems having nearly-direct connections to major peering points, where many networks come together.

By contrast, a connection to the colocation facility, even from the Seattle office, required many more hops; communications ran from the office, to the ISP, to a small peering point, to a large regional peering point, back to a different small peering point, to the datacenter's ISP, and finally to the datacenter itself.

The Vulnerability report taps into all our Home Depot, Anthem hack, and Sony IP meltdown fears. It sets up to "examine the notion of vulnerability of data storage -- the exposure of data storage options, both in world-spanning cloud storage services, and in localized datacenters, to threats in setting up and operating reliable, redundant, and resilient data services."

In order to explore the notion of vulnerability as it relates to cloud security, we have enumerated the characteristics of commonly available cloud storage platforms in terms of cost, capacity, access management, reliability, redundancy, resilience, backup capability and operations.

If that's not tempting enough for you, just wait until you get to the storage scenarios and solutions architecture sections, and then common threats, cloud-specific threats, local storage threats, management issues -- and extensive cost comparison tables -- your organization's reflection is most certainly in this pond.

Arms race? Wrong.

It's the data security vulnerability perceptions that get taken out to the woodshed, however. "Security is often compared to an arms race -- a constant grind of building the newer, the better, and the more effective." We're told, and then shown that "This comparison is inaccurate."

Modern methodologies allow attackers continuously to probe the trust boundaries of any organization, which means that rather than waiting for an overwhelming advantage, an adversary will exploit any temporary lapse. Temporary lapses are, however, inevitable in almost any organization.

Maintenance activities, such as security patching and updates, perimeter rules changes, and the addition or subtraction of, or change to, any network device will cause cracks to appear in the security of any organization. Preventative measures, such as "intrusion detection systems," are brittle, and their alerts must carefully be monitored in order to derive value from them; this is particularly difficult given an environment of a continuous war of attrition in which the attackers are many, and the defenders few.

Leviathan's Vulnerability whitepaper emphasizes that companies who store their own data, rather than using a cloud-based storage medium, must "make a significant and continuous investment in tools, training, and personnel charged with guarding the business' most significant assets: its knowledge."

"The defense, like the adversary, must be continuous, growing, and tireless; anything less will not suffice."