The complications and concerns around cloud computing should not be underestimated, argued Alex Stamos, co-founder and partner of iSEC Partners, at the Black Hat conference in Las Vegas, 30 July 2009.
In a session titled ‘Cloud computing models and vulnerabilities: Raining on the trendy new parade’, Stamos explored the challenge of securing and auditing systems once the corporate data-centre is abstracted. Although cloud computing promises cost savings for many organisations, there are many complications that need to be considered, said iSEC’s Stamos.
Firstly, Stamos declared the term ‘cloud computing’ useless. “It’s now just a marketing term” he said. “Despite widespread belief, it doesn’t mean virtualisation, or remote backup, neither is it most of the stuff that people actually believe it to be”.
So, what does it mean? “Lots of general purpose hosts; central management; distributed data storage; the ability to move applications from system to system; low-touch provisioning system; and soft failover”, Stamos listed. In short, “If you aren’t re-writing your software, it’s not cloud computing”.
Looking specifically as SaaS (software as a service), Stamos declared that “everything is outsourced; everything is someone else’s responsibility – except your data”.
Through SaaS, organisations lose controls, said Stamos. He listed the following as examples:
- Physical and logical network barriers
- Endpoint restrictions and management
- Non-password authentication
- Fine grained credential quality controls
- Password re-set process
“Most SaaS vendors do not provide the level of audit logs needed”, said Stamos. “You could take back authentication, but that defeats some of the benefits of the cloud”.
No promises
Stamos presented the issue of liability concerns with EULAs (end user license agreements) from those offering cloud services. “These companies have well-trained legal departments. The agreements you sign to use the services promise you absolutely nothing. If there is a breach, or data loss, don’t expect any support or help from them”.
This, Stamos argued, is unfair. “While you can’t expect them to accept financial responsibility, a certain level of help should be available”.
Most EULAs specifically disallow malicious traffic, “but this is just a standard for information security – and is often required in order to be compliant”.
In addition to this lack of support on the liability front, using cloud services also reduces your protection from law enforcement. “In the current state of law, you have less protection using cloud services than if you were using your own machines to contain the data – this means that you have no protection against search of data by law enforcement.
“If your data is at Google, you have no constitutional protection over that data”. As a result, said Stamos, once your data is in the cloud, you lose the following things:
- Protection of a warrant
- Guarantee of notice
- Ability to fight seizures beforehand
“Storing your data yourself on your own computer is the most legally secure way to handle your private information”, iSEC’s Stamos confirmed.
In conclusion, said Stamos, “moving to SaaS takes away the traditional IT controls that organisations traditionally have. Incident response on the cloud becomes more difficult and legal issues can become a stumbling block – so be sure to get a good IP lawyer”.
“The bottom line”, finished Stamos, “is that state of research into basic technologies does not provide for confident security analysis."