One of the main criticisms being levied at Cloud computing is its inherent security flaws. After all, the whole concept of cloud computing introduces possible security risks that are not present in conventional IT setups. However, a growing number of technologists are making the argument that clouds, contrary to popular belief, are actually more secure than conventional IT environments.
What’s even more surprising is that the proponents who are arguing in favor of cloud computing’s security are not marketers or cloud vendors who are naturally biased in favor of cloud, rather, the supporters are some of the senior-most technology officials in the government, particularly those from intelligence agencies and the military, which are arguably the last place you’d expect to support cloud’s security.
Some of the high ranking execs that have recently touted the security benefits of cloud computing include Gen. Keith Alexander and federal CIO Steven VanRoekel, who are head of the NSA and US Cyber Command, as well as CIA CTO Gus Hunt and NIST security researchers Dr. Ronald Ross, Peter Mell, and former NSA director Adm. Mike McConnell.
However, most of the comments and statements of cloud security supporters always come with the disclaimer “if you do it right.”, which means Cloud Computing is only secure if the user practices vigilance, and uses the proper security measures such as encryption, monitoring, and patching.
One of the benefits of shifting to cloud is that it gives people the opportunity, or rather, forces them, to rethink security from the ground up, and to restructure their networks and datacenters in a way that will close existing gaps and prevent potential ones from ever opening up. The feds are doing their part and helping agencies deal with the move through a growing body of guidance, such as NIST’s 68 page document on cloud security and controls required in the forthcoming FedRAMP security authorization program.
CIA CTO Alexander Hunt’s idea is to automatically and periodically move workloads and reimagine machines as a way of creating a polymorphic attack surface, which has the benefit of minimizing risks as it will confuse would be attackers due to the lack of consistency in the physical server, which means they won’t be able to familiarize themselves with the system they want to attack.
Hunt’s not some IT Lightweight, and he’s taking security seriously, and that the agency he is working for is paranoid for a reason, citing that people are really out to get to them, and it is not a joke nor a hyperbole when they say that people die when secrets leak out.
Gen. Alexander says that one of the main benefits of cloud is that it provides better visibility and situational awareness, and would actually speed up the rolling out of patches, compared to the current setup, which takes months to push out a single patch.
While the concepts the feds are talking about only apply to private clouds, NIST’s Mell posits that the logic they use also applies to most public clouds right now, due to the fact that public clouds are under the care and watch of world-class engineers at Amazon, Google, and Microsoft, which could mean that public clouds are actually much more secure than simply hosting data in your own datacenter.
However, not everyone agrees with the feds’ take on cloud security. For instance, a recent cybersecurity event in Baltimore has some attendees arguing that virtualization and consolidation might make an IT environment more manageable, but it also creates a bigger target for social engineering and other forms of intrusion.
NiST also has a word of warning, despite their staunch support for cloud computing, stating that cloud computing should be handle by vigilant IT personell, as IT professionals who are slacking in security controls are putting their entire organizations at high levels of risk.
But when done right, clouds are inherently more secure than conventional data centers. According to the government’s most influential IT leaders, it’s only a matter of people actually taking the time to relearn what security means, and to focus on the potential security benefits of cloud computing, rather than wasting opportunities worrying about the things that could go wrong.