The Biggest Cloud Computing Security Risk Is Impossible to Eliminate
August 10, 2012
Even pieces written well before the Honan attack pointed out that Apple had made iCloud "reasonably" secure but built in security flaws to keep control of the network itself and help return access or data to clueless end users.
Every other public cloud service did the same thing, for the same reasons. One person's security flaw is another person's fail-safe mechanism. Every cloud needs a back door for end users who can't get in; the problem is that locks on the back door are just as flimsy as those on the front. No matter how secure it's possible to make cloud services, it will never be possible to make them secure enough that clueless users won't lock themselves out and unscrupulous hackers won't be able to weasel their way in.
- Forrester Study: The Total Economic Impact of VMware View
- HP Newsletter with Gartner Research: Maximizing Your Infrastructure through Virtualization
Honan isn't a clueless user; he didn't use stupidly simple passwords or his Social Security number as a username. He just failed to turn on every single security feature available on every Web service he used.
Is it fair to expect end users to make up for gaps in the security of major services? No. Woz is right that cloud is a horrendous risk, but it's only marginally more risky than more traditional IT.
An iCloud or Twitter account may be easier to see, and therefore easier to target. That doesn't mean the risk of losing data from iCloud is greater than losing it to thieves who swipe your end users' iPads, iPhones. No matter what Apple, Amazon, Twitter or Google do, cloud computing security risks will never go away.
The answer isn't total security; the answer is balanced risk. Backing up data into comparatively safe harbors (cloud storage, enterprise backup or external hard drive) drastically cuts the risk of catastrophic data loss. It also adds the risk that your backup could be hacked, but there's no benefit without concomitant risk.
The trick is picking the security measures that work for you but don't make your tech so inconvenient you avoid it completely.
Security is inconvenient. It's expensive. It's impossible to cost-justify unless you actually see it stamping out a threat. It's also inconvenient to lock your front door and carry keys with you everywhere you go. There's no better chance of stamping out insecurity online than there is in real life.
Don't assume because some people get hacked that it's necessary to make your cloud or your users' laptops or smartphones invulnerable. It's not. It is necessary to take precautions appropriate to the situation, whether you're using the cloud or the Web or an internal glass-house, ultra-secure data center.
Forgetting where your data is, or what precautions are appropriate for each of the places in which it's stored, is a quick way to find out what real threats surround you.
Cloud security is as simple as that--though in IT, simple is relative. Simple security still means you have to pay attention, keep your backups complete and hope your service provider's customer service isn't quite as forgiving or naively helpful as Mat Honan's.
Kevin Fogarty is a freelance writer covering networking, security, virtualization, cloud computing, big data and IT innovation. He blogs daily at ITWorld.com; his byline has appeared in The New York Times, The Boston Globe, CNN.com, CIO, Computerworld, Network World and other leading IT publications. Write to him at email@example.com or on Twitter at @kevinfogarty.