Opinion: We're doomed to insecurity in the cloud

New technology means re-learning and re-thinking security, says Roger A Grimes

Working in the IT security field, you spend every waking hour striving to improve protection and lower risk. Then another computing technology emerges - the internet, wireless networking, mobile computing, social networking, and so on - and you have to learn every security lesson all over, as if something new and surprising has come along. In the past few weeks, we've seen authentication token leaks from Facebook; a rise in mobile malware; major networks running without a firewall and with unpatched major software; and an array of security appliance vulnerabilities. Secunia, which doesn't track every software product, is still publishing 250 to 350 vulnerabilities announcements per week. Some of the exploited technologies may be relatively new, but in terms of security, it's really more of the same. Now some people think cloud computing and thin clients will decrease security risks and usher in an age of fewer exploits. I'm not so hopeful. Thin clients have the potential to be less exploitable, simply because they have fewer lines of code, which should in turn mean fewer bugs, fewer security vulnerabilities, and less attack surface. However, thin clients rely on browsers to do the heavy lifting -- and browsers are the most exploitable pieces of software ever created. Many readers might still think that Microsoft (my full-time employer) has the most vulnerable browser on the market in Internet Explorer. Surprise, surprise -- every major vendor that has tried to make a significantly less vulnerable browser has failed. Chrome, Firefox, and Safari have vulnerabilities numbering in the hundreds -- far more than Internet Explorer in the same time periods. It turns out making a truly secure browser is harder than it looks. Further, the forthcoming thin client OSes use these same browsers to do most of the end-user work. How can we expect an entire OS platform to be more secure if the major single application they rely on has hundreds of bugs? One good argument could be that these forthcoming client computers will have less functionality. They won't allow users to save files (or even states) locally. If the end-user can't save to their machines, it's going to be a lot tougher for malware writers and hackers to manipulate those computers, right? Probably not. First, just as users aren't supposed to care where their data or profiles are located, malware writers won't care either. Wherever you are allowed to write data, the bad guy will follow. It's merely a change in locale, and as bank robbers break into banks because that's where the money is, the same principle applies here. Second, I'm already hearing hedges. For example, end-users are asking how they will be able to work on their data files when they aren't connected to the Internet or the vendor cloud. The thin client vendors are replying that the users can work with a locally cached copy while offline. Get that? Users can't save files to their computer, but their computer will save cached copies locally. What's the difference between that computing model and the current PC model? Not much. It gets worse. Users are going to object to binary security models with thin clients just as they do on PCs and the Internet. As different platforms become more popular, the vendors will be forced to offer more functionality and more granular security. All of that means these devices will likely become as insecure as the platforms they are replacing. One of my favorite examples is Adobe Acrobat Reader. When all it did was display a document, it was fairly hard to hack. But it became popular and Adobe added features, such as the ability to automatically launch links and executable code from within a PDF document. That ended Reader's free security ride. Today, the software is involved in a sizable percentage of end-user exploits. Adobe releases monthly patches closing dozens of newly discovered and exploited vulnerabilities every year. I don't blame Adobe. Stay static and your competitor will eat you for lunch. End-users don't buy security; they buy features and coolness. If end-users truly cared about security, OpenBSD would rule the planet. It's free and has a demonstrated 15-year history as the most secure (popular) operating system on the planet. It's the OS of choice for hundreds of thousands of users, but in my two-decade career, I've personally met maybe a dozen people who run it. Meanwhile, as the cloud gains popularity, some cloud vendors are thinking seriously about security. However, clouds are inherently riskier than traditional platforms, all other factors considered equal. First, all clouds rely heavily on virtualization, but virtualization platforms carry every security risk known to physical computers, as well as guest-to-guest and guest-host risks. On top of that, clouds have unique risks that aren't found elsewhere, including multitenancy (multiple customers sharing the same database), broad authentication and authorization schemes (not just your private directory service), and lack of location specificity. With the last issue, how can you protect your data when even the vendor probably doesn't know where it is specifically? This is not to say that clouds can't be more secure than traditional networks. Most traditional networks I've assessed could only be improved by moving some of their data into the vendor's tremendously more secure datacentre. But I don't think clouds or thin clients will significantly change the amount of vulnerabilities we face each day. I used to think Internet crime would one day cause a catastrophic tipping point event, where the Internet, as a whole, went down for a day or so. I figured that the tipping point event, similar to the 9/11 attacks, would wake up the world to the Internet insecurities, and we'd eventually fix them. What I didn't expect is that we'd live with thefts of our money and identity, as bad as it is, as a normal part of life. I especially didn't think that as each new paradigm comes out - social networking, smartphones, thin clients, cloud computing, and so on - we'd relive the same problems over and over. You'd think that along the way we'd heed the lessons learned and be proactive in preventing the on the new platforms. But we're not there yet.

Join the newsletter!

Error: Please check your email address.

Tags Security ID

Show Comments