Several factors combine to make data security in the cloud a challenge.
Web applications have fundamental vulnerabilities. HTTP is the cloud protocol of choice for everything from file backup in the cloud to Sales force management in the cloud. HTTP and HTML evolved from a protocol for static file delivery to a protocol for 2 way applications – a purpose for which they were never designed; let’s examine some of the data security issues with the current rich content Web 2.0 model:
1. The multiple layers at the server side from db server to Web server or App server are vulnerable to attack since the Web application passes messages to the data tier through several interfaces in order to execute SQL. The interfaces are vulnerable, in particular to SQL injection
2. HTTP is a stateless protocol. As a result, the simplest kind of Ajax application generates dozens of http transactions between the client and the server. The simplest autocomplete floods the pipe with Ajax transactions. If you have ever put a sniffer like Wireshark on the line you will see this. The rich interactivity on the client with Ajax generates a huge, disproportionate amount of traffic and a high price tag for simple operations. For example – in a tcp socket-socket link, if you want to know if there are new mail messages, no polling is required and the message length is just a few bytes. This is primarily a latency and load issue on the cloud computing infrastructure but also creates additional difficulties in detecting data loss and opens the door for network-based attacks such as a slow POST DDOS attack.
3. Passing messages between remote process (client and server) inside the query string is patently a bad idea that is not remedied by using https (although if you pass privacy data in a query string you must use https). It is a bad idea because it is fragile (may break on software changes) and vulnerable to any number of software bugs and exploits from buffer overflow to sql injection to simple query hacking. To get a feel for the order of magnitude of the problem, just google for web application security.
There is little free market demand for software security. The key demand-side driver for cloud computing is that it is a service that can be consumed at a variable cost like a utility. We might think that with all the headlines on data security breaches, that consumers would be discerning about the security of the service. However, data loss risk is negligible in a consumer buying decision since people use applications based on their utility and productivity and beauty of the UI not because of their security, since we all assume that the security is built-in. The cloud model requires the consumer to consider impact of data loss, similar to considering the impact of a power spike on home appliances with digital controllers. Data security in the cloud won’t happen by itself.
Enforcing data security in the cloud is harder than in the enterprise. Trusted insiders can exploit application vulnerabilities no matter where the application runs. However, our ability to detect data loss inside the cloud is far less than our ability to detect data loss inside an office network and more expensive to mitigate in a virtualized operating system environment.
Inside an enterprise network, you can put procedural, network monitoring and DLP solutions into place, however the same security countermeasures may not be supported by your cloud provider as a standard item. By implementing custom countermeasures in the cloud, you won’t enjoy the economy of scale of a shared, virtualized infrastructure nor benefit from the experience curve of the cloud service provider. It will become your problem.
Data security is about economics. If you want guaranteed service levels on the security of your IP and customer data that you store in a SaaS system, you need to RFP and negotiate the appropriate contract and security countermeasures (encrypting data at rest and in motion, employee monitoring, key management, data loss prevention, malicious software detection and more). Compliance with PCI DSS 2.0 and HIPAA may come at additional cost.
Data security in the cloud is a cost borne upstream by the customer and downstream by the cloud provider.
From a cloud service provider perspective, note that there are high fixed costs involved in providing capacity, customer support and secure infrastructure while the revenue from consumers is variable. Consumers that adopt a hybrid model for cloud delivery will have additional fixed and variable costs of operation.
In order to protect your data in the cloud, I suggest adopting some common-sense best practices:
- Before moving your application to the cloud, do some attack modeling and consider the value of your assets to be stored in the cloud, versus the cloud service costs and custom security measures you may (or may not need) to implement
- Invest in software security. Remember that hackers attack your software, not your security procedures.
- After you set a budget, choose a cloud service according to your threat model and read their dotted line on data security before committing