Cloud Computing's Inherent Security RisksBy John Parkinson | Posted 04-13-2009
For the second time in six months, one of my credit cards was canceled and a new card was issued by the bank because of a third-party breach that might have released my (and many other) account details into the wild.
Note that this wasn't anything the bank nor I did. This was a merchant that had a breach that included stored credit card data. Never mind that the data should have been encrypted (or not stored there at all) and therefore not vulnerable in the event of a breach. Odds are that the thieves stole the keys as well anyway.
I'm happy that the bank acted quickly. I'm not happy that I must now update more than 200 places where the old card number is stored. Some of these I can only do from a specific location. It will take me about 10 hours to do this (I know because I timed it last time), and this time I'm going to delete a lot of these records and refuse to let the sites store card data. A little less convenient, but a lot safer.
All in all, it's going to consume a couple of thousand dollars of opportunity cost (my time is somewhat valuable--at least to me). And I have no guarantee that it won't happen again, even with my reduced digital footprint.
I'm pretty sure this is getting worse, not better. The online industry has spent several hundred billion dollars on various security measures. I spend a significant chunk of our budget on data protection and loss prevention. I see TV ads about how vendors are deploying ever-better technology to combat cyber-crime. And the bad guys still get in over and over again.
The way I see it, the bad guys have access to the same technologies and tools that I do, plus as-smart or smarter people to use them. They also have access to a lot more money than I do. And, of course, they have no constraints on using all three "assets" to attack and attempt to subvert whatever I or anyone else tries to do to prevent a breach.
I think that, over time, the bad guys are going to win.
It's just not going to be safe to store critical information in places you can't see, monitor and manage--at least, to some extent. And providing visibility, monitoring and management just adds more potential vulnerabilities.
It may not even be safe to store critical data on any device that is network-connected in a persistent fashion. It's not just a technology problem--although there is plenty of pretty poor technology out there. The total system is irredeemably vulnerable because it depends on people acting sensibly all the time.
This has big implications for the cloud computing investments a lot of people are making--and possibly for the entire SAAS approach. So far the bad guys aren't targeting these platforms in a big way, largely because there really isn't much there to steal. But when there is, you can bet they will be swarming. And if the past 10 years is anything to go by, they will soon be breaking in and carrying off the loot.
A really smart set of bad guys could even set up as a "legitimate" cloud services provider and simply skim a little off everything that flowed through their systems; get big enough or hold your data for ransom; or build entirely synthetic identities by combining snippets of individuals in novel ways so that every piece of data would check out as real--even though the aggregate identity was a fake.
These are just some of the things I worry about every day--without the cloud. And it's why you won't be seeing me out in the cloud any time soon.