Today’s companies are understandably concerned about securing their systems and their employees’ and customers’ data; unfortunately, however, that concern is slowing the adoption of shared computing tools and techniques, which are commonly referred to these days using the “cloud” buzzword. Within this article, I’ll illustrate that there is no measurable difference between the level of cloud security that can be afforded within well-configured cloud-based solutions and the level of security that is typically provided for and within most companies’ internal networks.
Tools for Cloud Security
First, let’s look at a high-level list of the tools that are used to secure computer networks today:
- SSL (Secure Sockets Layer): SSL encryption can provide a level of security that is virtually impenetrable provided an appropriate key length is utilized. The following article on Wikipedia is a very interesting primer on the security of both symmetric and asymmetric key encryption: SSL is a common tool for both cloud-based security and internal network security.
- VPN (Virtual Private Networks): Virtual Private Networks are used by virtually every large company to serve the dual purpose of securing their internal networks and providing access to remote contractors and employees. Because VPNs are established over the public Internet and use SSL for encryption, the level of security provided through VPNs is not superior to that provided by SSL connections negotiated over the public Internet.
- Two-factor authentication: Typically, this represents “something you know” (e.g. a password or PIN) and “something you have” (usually some sort of physical or virtual “token”). The most common method of providing for two-factor authentication within large enterprises today is the use of passwords and physical tokens, such as those provided by RSA (e.g. RSA’s “SecurID”).
Thus, in a typical organization, the highest level of security one can reasonably expect is a secured VPN connection – aka an SSL-encrypted connection to a corporation’s private, internal computing resources – using two-factor authentication. In order for the security for a cloud-based system to be just as secure, it would have to use SSL encryption with an equivalent key length as well as employ two-factor authentication. Is two-factor authentication offered by today’s cloud computing vendors? Yes!2 This means that it is easily possible to provide the same level of security against external attacks for cloud computing resources as it is for internal corporate resources. If an organization is pushing back on making a cloud investment due to concerns about external security, decision-makers should feel confident in questioning their reasoning for doing so and in dispelling any knee-jerk or uneducated position on the same as being based on irrational Fear, Uncertainty, and Doubt rather than an objective assessment of the security options associated with cloud computing offerings.
Cloud Security: Understanding the Uncertainties
Now, let’s look at a much more complex area, that of internal security. If two (or more) organizations are using the same cloud-based computing resources, extra care must be taken to ensure that resources from one company can’t access data belonging to another company. The bottom line here is that this is a legitimate concern, and internal security resources should ensure that their prospective cloud computing vendors are using effective tools and techniques to secure their sensitive corporate data. However, when comparing the relative security of cloud computing resources, it’s interesting to note that most corporate networks today are no more secure from “internal” attacks than are cloud-based networks. Why? Simply put, a corporate network is only as strong as its weakest link, which can be a careless or criminally-motivated employee, a renegade wireless router, or an unsecured web server, just to name a few. If computing is outsourced to the cloud, a gamble is being made that the security the cloud computing vendors employ to keep their employees away from a specific customer’s data and their other customers away from that customer’s data is more effective than the security that a company employs internally. Thus, the most important question to ask an internal security team here is the following: Do they believe they are more effective at guarding against internal attacks or compromises of data than the security teams at the prospective cloud vendor(s)? Furthermore, do they have the proof to justify their position? If they take the time to answer the question objectively, the conclusion will almost always be that it’s at least possible that they will be less effective at guarding against internal threats than the leading cloud computing vendors and that an objective study is warranted. Again, question any knee-jerk statement that cloud computing is inherently insecure due to the risk of internal data breaches, and encourage a rational, objective assessment of the level of security offered internally and by any prospective cloud computing vendor.
What has been demonstrated? First, it’s been shown that there is no major security advantage in guarding against external attacks associated with the use of internal networks versus cloud-based networks provided the same level of security precautions are employed. Second, we’ve uncovered the most important basic question that should be asked when comparing the ability of a cloud vendor to guard against internal attacks to the ability of an internal corporate security team to guard against similar internal attacks. Through this article, we’ve effectively illustrated that any blanket, knee-jerk generalization that cloud-based computing is inherently insecure is tantamount to irrational Fear, Uncertainty, and Doubt. Companies should approach the move to cloud computing with care, and they should consider it along with their other options while focusing on Cloud Security. However, they should not dismiss such a move due to generalizations based on Fear, Uncertainty, and Doubt. If they do, they may fall behind in the race to establishing a more cost-effective, capable, and competitive business through the cost-saving benefits of cloud computing as a result.
- TLS, or Transport Layer Security, is the successor to SSL, or Secure Sockets Layer, and has rendered the SSL standard obsolete. Thus, the correct term to use is TLS and not SSL. However, since the term SSL is far more recognizable than TLS, I’ll use it within this article instead.
- Salesforce.com recommends the use of hard tokens for two-factor authentication as a security best practice: http://trust.salesforce.com/trust/security/best_practices/. Amazon Web Services also offers MFA (Multi-Factor Authentication) for its computing resources: http://aws.amazon.com/security/#features.
- This CIO Magazine article, though from 2007, lists a set of potential internal attack vectors that are still relevant today: http://www.cio.com/article/120101/Securing_the_Endpoints_The_10_Most_Common_Internal_Security_Threats?page=1&taxonomyId=3089.
- This article from infosecisland.com (March 2011) lists some of the more common internal security threats corporations face today: https://www.infosecisland.com/blogview/12167-Unmasking-Security-Threats-in-the-Workplace.html.