Join leading cyber security expert, George Wrenn, for a dynamic discussion surrounding cloud computing.
For most organizations, the migration to the cloud has been a mixed bag. Some have been successful in moving older client/server applications to the cloud, while others have taken a more conservative approach, moving only lower criticality applications to the cloud.
How the public cloud creates vulnerabilities
The main objective of this article is to understand the limits of existing cloud security and computing in order for your organization to make the best decisions possible.
While very few organizations are the same with respect to the “use case” when it comes to migrating to the cloud, nearly all have similar opinions on the benefits and dangers of cloud computing.
In this article we will explore the myriad of issues that most cloud savvy leaders either understand entirely and refuse to acknowledge, or understand, but are willing to accept as the “risk” of doing business online.
Each organization differs in its goals and ultimately in how they choose to securely utilize cloud computing.
The four secrets
- Cloud computing workloads on public cloud services allow multiple customers to use the same server at the same time. While there is some isolation between the tenants, mostly on the file systems or database access credentials, the systems share memory, hypervisors, CPU and network interfaces. If you are hosting a site that raises money for charity, you may be only one file or operating system error away from your neighbor on the server. Not a problem if your neighbors are well behaved, however you may be on a server with nefarious or questionable individuals. This setup is a prime target for hypervisor attacks, operating system weaknesses or worse.
- Cost savings are a major draw to cloud computing. CFOs were exuberant with their CIO and CTO peers on the financial benefits of cloud computing. Well, depending on how you “do the math” on the total cost of ownership, results can vary dramatically. The truth is, however, if you want to compare costs, compare apples to apples. How much per year does a “dedicated” cloud server cost? Well, on average, the difference in cost can be staggering. Not to mention the level of aforementioned security of sharing with potentially hundreds of other organizations. The answer is shocking. We have seen costs for dedicated cloud servers as high as 10 times the hourly cost of “shared” compute time. So your $500 invoice, if run as dedicated servers, would climb to over $5,000 per month or $60,000/year. At that rate you could afford to buy more compute, storage and memory for half the cost and operate it inside your data center without getting nickel and dimed to death.
- If you think computer security forensics are hard to do on local systems, try it with one of your cloud systems for a real challenge. How does an organization place a hold on a hard disk or SSD when 80 other organizations are using the same drive array? Not easily performed. What about memory dumps or hypervisor logs from the cloud provider? Again, not easily done or maybe impossible for some. Do you know what your cloud provider can support in terms of forensic information on a quick turnaround request? If not, time to ask.
- There is an old saying in risk management, “…you can accept, transfer, or eliminate a risk…”. These are three things you can do with a risk. Unfortunately, many executives and IT folks believe that they are “transferring risk” to the cloud provider for your applications. This could not be further from the truth. Cloud providers have a “shared” responsibility model that includes your responsibility to develop, deploy, patch and monitor the security of your applications. Reading the fine print in your cloud agreement should be at the top of your to-do list. That is, if you want to know what risks you are taking with a given cloud provider’s security.
While cloud computing offers exciting and quick-to-deploy features over some in-house systems, the costs in the long run are going to add up to a large sum of money. This may be allowable at your organization, but you really need to know the truth about cloud computing; the novel risks it presents and its security capability before jumping into the deep end of cloud deployment.
George Wrenn is a founder of Letosecurity, a full-service cybersecurity, risk and privacy consultancy. Prior to this company he was the founder and CEO of CyberSaint Security, an integrated risk management company that streamlines and automates risk, compliance, and privacy programs. Prior to founding CyberSaint, George was the VP of cybersecurity (CSO) for Schneider Electric, a global energy company. As a Graduate Fellow and researcher at MIT for over a decade, He has completed research and advanced coursework at the MIT Media Lab, the Sloan School of Management, the School of Engineering, the School of Architecture, and most recently, the MIT Security Studies program working on Cyber Warfare frameworks. He has more than 25 years of experience in the field of cybersecurity.