I was just reading yet another story about cloud computing security issues. It’s time to separate the real cloud computing security issues from the highly unlikely and the totally ridiculous.
Leading the ridiculous list, there’s criminals infesting “the cloud” and criminals run the largest cloud! First of all, there’s no such thing as “the cloud” Google’s cloud, Amazon’s cloud, our cloud, they’re all separate and distinct clouds. If someone does something nefarious on one cloud, it doesn’t mean every cloud computing service is now breached. Second, while a botnet does superficially resemble a cloud from the outside, it’s missing a LOT of characteristics of a real cloud, notably virtualization. NOT a cloud (the cloudwashing is REALLY getting crazy).
Next on the ridiculous list is the idea that everyone should be able to audit the provider’s entire cloud infrastructure. While there are number of standard security actions to be taken (such as restricting access to the cloud hosts control interfaces), I don’t know any cloud provider who is going to allow customer approval of cloud server software versions or configurations. You might as well ask to approve all the provider’s routers and switches while you’re at it.
Next you have the FUD factor (fear, uncertainty, and doubt). The NSA declares they don’t like the cloud because you can’t be sure who’s “cuddling up” next to you. When you can’t come up with a real issue, invent an undefined boogeyman.
Cloud reliability is certainly a valid issue, what with highly publicized outages from the major cloud computing providers over the last year. Of course, this isn’t really a cloud computing security issue at all though.
So what are the REAL cloud computing security issues? Background checks on cloud provider employees is an entirely valid one. Thoroughly securing the cloud control interfaces or control domain (known as dom0 in Xen Cloud Platform) is another.
Updating the cloud operating systems and the virtual machine operating systems promptly when vulnerabilities are patched should be a no-brainer. Finally, good solid system administration practices on the virtual machines is critical. I’ve said this before, you’re far likely to have a virtual machine broken into directly because of bad practices (understrength passwords, poor password choices, etc) than you are to have any chance of someone invading through the cloud system itself. This is the exact same security issue that dedicated physical servers have had forever and it’s addressed the exact same way, no special procedures because it happens to be a virtual machine running on a cloud.
The reality is that cloud computing security hasn’t changed that much from dedicated physical servers. Don’t let the cloudwashing and other silliness distract you from REALLY securing yourself in a cloud.
Email or call me or visit the SwiftWater Telecom web site for cloud computing services (with real honest to goodness security)!