Is the Cloud an opportunity to improve security; or the doorway to disaster?
The world is divided into those who believe the cloud to be a security nightmare, and those who believe it to be an opportunity to improve security. I belong to the latter; but I cannot deny that the majority of surveys support the former. The latest is from Fortify Software, and was conducted at the recent DEF CON in Las Vegas.
Fortify questioned 100 of the elite IT professionals attending this year’s Hacker conference – and 96% believed that hackers view the cloud as having a silver lining for them. There is a strong belief that the cloud providers are not doing enough to address the security issues in their services. “89% of respondents said they believed this was the case and, when you analyze this overwhelming response in the light of the fact that 45% of hackers said they had already tried to exploit vulnerabilities in the cloud, you begin to see the scale of the problem,” said Barmak Meftah, chief products officer at Fortify.
Well, there’s nothing like going to DEF CON to get it straight from the horse’s mouth – so do I need to change my view? Given that Gartner predicts that “By 2012, 20 percent of businesses will own no IT assets” largely (though not entirely) because of an increasing migration into the cloud, are we actually heading for a security meltdown? In reality, of course, I don’t need to change my view at all: the two options are not mutually exclusive. The cloud does provide an opportunity to get security right; but if companies don’t take that opportunity, then it is more likely to lead to a security nightmare.
And I suspect the real problem is down to motivation. Cloud providers (apart from security as a service providers) haven’t set out to deliver security – they are providing a service. So providing an acceptable service at the minimum cost is the priority. Similarly, companies moving their own processes into the cloud are not doing so to improve their security – they are doing it to reduce their costs. The likelihood is that we will simply repeat all the mistakes we have already made: we will attempt to bolt security on after the event (the cheapest option) rather than take the opportunity to design it into the process (much more expensive in the short-term). And that supports the meltdown scenario.
Fortify has its own recommendations. “More than anything, this research confirms our ongoing observations that cloud vendors – as well as the IT software industry as a whole – need to redouble their governance and security assurance strategies when developing solutions, whether cloud-based or not, as all IT systems will eventually have to support a cloud resource,” says Meftah. “It is of great concern to us here at Fortify that the message about software assurance has still to get through to everyone in the software development community, and the DEF CON survey results strengthen our resolve to get this message across to as large an audience as possible.”