As the cloud services industry grows to over a $100 billion dollar business, this might be a good time to ask the key question: is it truly secure and how do we know it?
First, let’s start with researcher/analyst Bruce Schneier, a man with serious credibility in the cybersecurity field. Schneier is one of only a handful of people who have been given access to all of the documents liberated from the NSA by Edward Snowden. And he was the subject of a flattering profile in Vanity Fair magazine in 2011. (Schneier, an outspoken critic of U.S. airport security, showed the magazine’s reporter how to create and print a fake airline boarding pass. It worked.)
At the infamous Black Hat Cybersecurity conference in Las Vegas earlier this month, Schneier was asked by an audience member whether the cloud was secure. Schneier’s response was not reassuring. “For the bigger cloud companies, their security model is ‘trust us’,” said Schneier. “Their model is take it or leave it.”
For some, Schneier’s quick take on the state of cloud security is legitimate. “Most organizations need an audit trail for what happened within the cloud services used by their employees,” says Ofer Hendler, co-founder and CEO of Skyfence, “but cloud providers often can’t or won’t provide this information.”
Hendler also points out that companies should assume responsibility for securing their cloud applications. “They can’t expect cloud providers to meet all their security requirements…businesses have to take control over cloud security,” says Hendler.
Yet there is also plenty of evidence that cloud providers are becoming more aware that sound security compliance practices and third party audits are essential in this rapidly growing field. Amazon, one of the largest cloud services providers in the world, has publicly posted the independent audit results of its security practices. And Microsoft has stated that its Azure cloud platform “undergoes regular verification by third-party audit firms,” though they will only provide those results to customers on request.
Another company that offers independent verification of security controls is Rackspace. According to Ed Sachanowicz, Director of Governance, Risk and Compliance, prospective or longtime customers visit his company for onsite audits, something that Rackspace willingly accommodates.
“Cloud providers are under constant, independent scrutiny and validation of their controls through a number of programs,” says Jonathan Trull, Chief Information Security Officer for Qualys. Trull points out that existing programs today such as FedRAMP ( a mandatory audit process for cloud companies supporting the federal government) and the TRUSTe/EU Safe Harbor audits go much farther than Schneier’s belief that “trust us” is the only fallback currently offered by cloud providers today.
“My experience shows that many companies choose cloud service providers because the providers can deliver security controls superior to those deployed internally within the company,” said Trull.
This does not necessarily mean that cloud based systems are fully protected from hacking. At the same Black Hat conference where Schneier appeared, a team of security researchers presented the results of their own experiment in cloud exploits. Oscar Salazar and Rob Ragan of Bishop Fox, showed how they were able to rig an online sweepstakes promotion by using free cloud services for unlimited email processing.
They did this by gathering real, unique email addresses to circumvent controls which cloud providers had implemented to spot “fraud” generated by huge numbers of submissions coming from one source. Using readily available tools like “Google App Engine” and “Inbound Mail Handler,” Salazar and Ragan cleaned up while remote storage systems did all the work. “We’re not getting a large electric bill at the end of the day either,” joked Ragan.
Skyfence’s Hendler also points out that another security “blind spot” for companies in the cloud can often be apps used by their own employees. “Their first priority (should be) to get visibility over all the apps being used,” says Hendler.
The evidence currently points toward a mixed picture as far as cloud security is concerned. It’s clear that some cloud providers are readily making audit results available, but many still do not. Meanwhile, there are plenty of internal or external threats which must be handled on a regular basis. Instead of “trust us,” the real mantra should still be “trust…but verify.”