Security in the cloud

I don’t mean to rain on anyone’s cloud (ok … ok … been wanting to say that … ), but the double whammy of Google’s GMail and now zero-day phishing attack starts begging some serious questions of risk and security in “the cloud”. Ok, I know, there are many different clouds. Ones within a firewall and local to a campus, ones external to a firewall or at a remote campus. There are SaaS, PaaS, and-any-other-letter-you-wish-aaS type apps. And there are bad people who want to annoy you, pester you with Cyrillic spam (hey, I don’t speak Russian … not a clue what they say, and I get LOTS of them), steal your ID, and drain your accounts, grab your passwords, run off with your dog … You get the idea.

So when bad things happen to good *aaS applications, and then they are attacked … Ok, thats just an annoying attack, but there are some far more serious ones running in the wild right now. Attacks which make me very nervous about online banking, or logging into important websites, even with “SSL”. I could go off on security theatre right now … I have had meetings with banks that have tried to get our business, where they seem to think that a) IE is secure, b) windows is secure, c) that little lock in the browser means it is secure …. ummmm yeah. Ok. Right-o. What is that saying about De Nile? My current bank has … er … issues as well with its login bits. Won’t go into them. It scares me. Their websites are effectively *aaS apps. If I got into working with large data sets, large sums of money … I want to know that what I work with is secure even if the security model assumptions break down. Google was apparently attackable via features in its talk client. Malware got onto a desktop, and used Talk to propagate. It is interesting to study it, from an epidemiological view. What preventative measures can you undertake to prevent this sort of spread? But that’s not the issue. The issue is, that if the security model is somehow compromised, I don’t want damage to occur. To me, or to others. If it is impossible to prevent damage, then I want it minimized, or contained. Unfortunately, the *aaS models are still maturing, and I will argue that I don’t really believe that security has been adequately addressed on the web (yeah, the juxtaposition with the previous post is somewhat ironic, I am aware of this). Security is not a product, it is a process. If the process breaks down, you should have a reasonable hope of containment. I’d prefer to say expectation, but this isn’t always the case. What about web servers? Or remote storage? or remote cloud apps? What if there are holes in them? Or what if some of their wonderful features can be misused? Not what if… this isn’t theoretical … they can be misused. So the question is, how can you contain the damage? What was demonstrated today is that *aaS have holes … not necessarily in their functions … they did what they were supposed to. But someone wrote code that purposefully misused the tool. Can this purposeful misuse be detected and diverted? But this isn’t the only possible attack. The SSL striping attack pointed out above could impact “secure” sessions, and enable MITM (man in the middle) attacks. Keyloggers on windows systems have become a favorite attack vector for linux systems. I am not convinced that these folks really have an operation concept model of security. I am worried about this now in terms of our web store. Thinking specifically of “if we are compromised somehow, how can I limit damage?” and “what is at risk?” Seeing what some of the other people have done here, and the attacks I see going on, I get the feeling that they are looking at security as a process. As a lock icon. And if this is what security means to the *aaS vendors, you should run away … screaming.