This time it was Netvision offering me a special deal on Symantec anti-virus and a $5/month service package for virus updates.

It is convenient for a customer to buy a product and feel “secure” but, as businesses become more and more interconnected, as cloud services percolate deeper and deeper into organizations, and as  government compliance regulation becomes more complex and pervasive; the security “problem” becomes more difficult to solve and even harder to sell.

I believe that there are 3 reasons why it’s hard to sell security:

The first is that it’s complex stuff, hard to explain and even harder to build a cost-justified security countermeasure plan and measure security ROI.  The nonsense propagated by security vendors like Symantec and Websense do little to improve the situation and only exacerbate the low level of credibility for security product effectiveness with  pseudo science and ROI calculations written by wet-behind-the-ears English majors marcom people who freelance for security vendors – as I’ve noted in previous posts here, here, here and here.

The second is related to prospect theory. A CEO is risk hungry for a high impact, low probability event (like an attack on his message queuing transaction processing systems) or theft of IP by a competitior and risk averse to low impact, high probability events like malware and garden variety dictionary attacks on every ssh service on the Net.

The third is related to psychology.   Why is it a good idea to cold call a CIO and tell him that the multi-million dollar application his business developed is highly vulnerable?    Admitting that his software is vulnerable and going to the board to ask for big bucks to fix the problem is tantamount to admitting that he didn’t do his job and that someone else should pay the price.  Very bad idea.

This is why cloud services are a hit.

Security is baked into the service. You pay for the computing/storage/messaging resource like you buy electricity. The security is “someone else’s problem”  and let’s face it, the security professionals at Rackspace or Amazon or Google App Engine are better at security than we are. It’s part of their core business.

The next step after cloud services is the security industry evolving into a B2B industry like the automotive or energy industry.  You don’t buy brakes from a McAfee and a car from Checkpoint – you buy a car from GM and brakes are part of the system.

That’s where we need to go – building the security into the product instead of bolting it on as an after-sale extra

It is now time to slaughter one more sacred cow: SSL.

One of the most prevalent misconceptions with vendors in the medical device and healthcare space regards the role of SSL and TLS in protecting patient information.  When faced with a requirement by a government or hospital customer for compliance to one of the US privacy and security standards, a vendor usually reacts with the CEO asking his CTO to look into “solutions”. The CTO’s answer usually goes  like this:

I did some research. Apparently to be FIPS  (or HIPAA, or …) compliant we should use TLS and not SSL. I think that configuring the browser to be FIPS  (or HIPAA, or …) compliant may take a little work.

Action items are given out to the technical team, they usually look like this:

Joe – You establish a secure web site

Jack - Make sure all the addresses on the workstation point to https instead of http

Jack and Joanne - Compile a new version of the Servers and workstation to work properly on the new site.

Jack and Jill - Do what ever needs to be done so that the web services work on the new site.

That’s all – No other changes need to be done to the application.

Oooh.  I just love that last sentence – “No other changes need to be done to the application”.  What about patching Web servers and the Windows operating systems? What about application software vulnerabilities?  What about message queue vulnerabilities ? What about trusted insiders, contractors and business partners who have access to the application software?

There are multiple attack vectors from the perspective of FIPS and HIPAA compliance and PHI data security.  The following schematic gives you an idea of how an attacker can steal PHI, figure using any combination of no less than 15 attack vectors to abuse and steal PHI:

There are potential data security vulnerabilities in the client layer, transmission layer, platform layer (Operating system) and cloud services (Amazon AWS for example).

So where does SSL fit in? Well, we know that the vulnerabilities for a PHI data breach can not only happen inside any layer but in particular there are vulnerabilities in the system interfaces between layers. That means between server layers and client-server interfaces.  SSL  Quoting from the Apache Tomcat 6.0 SSL Configuration HOW-TO:

SSL, or Secure Socket Layer, is a technology which allows web browsers and web servers to communicate over a secured connection. This means that the data being sent is encrypted by one side, transmitted, then decrypted by the other side before processing. This is a two-way process, meaning that both the server AND the browser encrypt all traffic before sending out data.

Another important aspect of the SSL protocol is Authentication. This means that during your initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials, in the form of a “Certificate”, as proof the site is who and what it claims to be. In certain cases, the server may also request a Certificate from your web browser, asking for proof that you are who you claim to be. This is known as “Client Authentication,” although in practice this is used more for business-to-business (B2B) transactions than with individual users. Most SSL-enabled web servers do not request Client Authentication.

In plain English, SSL is good for protecting credentials transmitted between the browser and web server during the login process from eavesdropping attacks.  SSL may still be vulnerable to man in the middle attacks by malware that piggybacks on the plain text browser requests and responses before they are encrypted. Similarly, SSL may be vulnerable to cross-site scripting attacks like the Paypal XSS vulnerability discovered in 2008 that would allow hackers to carry out attacks, add their own content to the site and steal credentials from users.

SSL is a key component in a secure login process, but as a security countermeasure for application software vulnerabilities, endpoint vulnerabilities, removable devices, mobile devices and data security attacks by employees,  servers and endpoints, it is worse than worthless because it sucks the medical device/healthcare vendor into a false feeling of security.

SSL does NOT make a medical device/healthcare Website secure. The SSL lock symbol in the  browser navigation window just means that data in motion between a browser client and Web server is encrypted.   If you can attack the endpoint or the server – the data is not protected. Quoting Gene Spafford ( I think this quote has been used for years but it’s still a good one)

“Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.”
– Gene Spafford Ph.D. Purdue, Professor of Computer Sciences and Director of CERIAS

This is all fine and dandy, but  recall our conversation from the CTO giving action items to his team to “establish a secure web site” as if it was point and click on a Microsoft Office file. The team may discover that even though SSL is not a very good data security countermeasure (albeit required by FIPS and HIPAA), it may not be that easy to implement, let alone implement well.

It’s no wonder that so many web servers are misconfigured by the clueless being led by other clueless people who never read the original documentation and were all feeding off google searches for tutorials. Yikes!

Most people don’t bother reading the software manuals and google for advice looking for things like “Tomcat SSL configuration tutorial“.  Jack, and Jill and Joanne in our example above, may discover themselves wandering in an  abundance of incorrect,incomplete and misleading information in cyberspace, which is mixture of experts who assume everyone  knows how to setup secure AJP forwarding and Tomcat security constraints and a preponderance of newbies who know nothing (or a little bit, which is worse than nothing).

Working with a client in the clinical trial space, I realized that the first and perhaps biggest problem is a lack of decent documentation, so I wrote SSL and Certificate HOW TO – Apache 2.2 and Tomcat 6, Ubuntu which I hope will be my modest contribution (along with this blog) to dispelling some of the confusion and misconceptions and helping medical device and healthcare vendors implement secure Web applications. No promises – but at least I try to do my bit for the community.

As you may have read recently, Cybercrime is now costing the UK $43.5 billion and around $1 trillion globally.

Sponsored by security and compliance auditing vendor nCircle, the Webinar pitch didn’t cite any sources for the $1 trillion number nor the $43.5 billion number.

A little googling revealed the UK government report UK Cyber crime costs UKP 27BN/year. Published on the BBC’s website, the report offers a top-level breakdown of the costs of cybercrime to Britain using a fairly detailed scheme of classification and models. Regardless of how badly UK businesses are hit by cybercrime, there are several extremely weak points in the work done by Detica for the UK government.

a) First  - they don’t have any empirical data on actual cybercrime events.

Given the number of variables and lack of ‘official’ data, our methodology uses a scenario- based approach.

Which is a nice way of saying

the UK government gave us some money to do a study so we put together a fancy model, put our fingers in the air and picked a number.

b) Second – reading through the report, there is a great deal of information relating to fraud of all kinds, including Stuxnet which has nothing to do with the UK cyber crime space. Stuxnet does not seem to have put much of a dent in the Iranian nuclear weapons program although, it has given the American President even more time to hem and haw about Iranian nuclear threats.

What this tells me is that Stuxnet  has become a wakeup call for politicians to the malware threat that has existed for several years. This may be a good thing.

c) Third – the UK study did not interview a single CEO in any of the sectors they covered. This is shoddy research work, no matter how well packaged. I do not know a single CEO and CFO that cannot quantify their potential damage due to cyber crime – given a practical threat model and coached by an expert not a marketing person.

So – who pays the cost of cyber crime?

The consumer (just ask your friends, you’ll get plenty of empirical data).

Retail companies that have a credit card breach incur costs of management attention, legal and PR which can always to leveraged into marketing activities. This is rarely reported in the balance sheet as extraordinary expenses so one may assume that it is part of the cost of doing business.

Tech companies that have an IP breach is a different story and I’ve spoken about that at length on the blog. I believe that small to mid size companies are the hardest hit contrary to the claims made in the UK government study.

I would not venture a guess on total global cost of cyber crime without empirical data.

What gives me confidence that the 1 Trillion number is questionable is that it just happens to be the same number that President Obama and other leaders have used for the cost of IP theft – one could easily blame an Obama staffer for not doing her homework….

If one takes a parallel look at the world of software piracy and product counterfeiting, one sees a similar phenomenon where political and commercial organizations like the OECD and Microsoft have marketing agendas and axes to grind leading to number inflation.

I have written on the problems associated with guessing and rounding up in the area of counterfeiting here  and software piracy.

Getting back to cyber crime, using counterfeiting as a paradigm, one sees clearly that the consumer bears the brunt of the damage – whether it’s having her identity stolen and having to spend the next 6 months rebuilding her life or whether you crash on a mountain bike with fake parts and get killed.

If consumers bear the brunt of the damage, what is the best way to improve consumer data security and safety?

Certainly – not by hyping the numbers of the damage of cyber crime to big business and government. That doesn’t help the consumer.

Then – considering that rapid rollout of new and even sexier consumer devices like the iPad 2, probably not by security awareness campaigns. When one buys an iPhone or iPad, one assumes that the security is built in.

My most practical and cheapest countermeasure to cyber crime (and I will distinctly separate civilian crime from terror ) would be education starting in first grade. Just like they told you how to cross the street, we should be educating our children on open, critical thinking and not talking to strangers anywhere, not on the street and not on FB.

Regarding cyber terror – I have written at length how the Obama administration is clueless on cyber terror

One would hope that in defense of liberty – the Americans and their allies will soon implement more offensive and more creative measures against Islamic and Iranian sponsored cyber terror than stock answers like installing host based intrusion detection on DoD PCs

Wikileaks gives a leaker immediate visibility to her/his message. Once Wikileaks publishes the data, it’s  highly visible due to the tremendous conventional media interest in Wikileaks.  I doubt that PFC Manning, if he had a blog somewhere in the long tail of the Internet, would have made such an immediate impact.

Unlike Wikileaks, data theft of intellectual property or credit card data is motivated by the economic gain. In the case of Wikileaks, the motivation is social or political.  With cheap removable storage devices, smart phones, tables, dropbox and wireless network connectivity “employees with personal agendas will be more likely to jeopardize their careers in order to make a passionate statement“.

Network  DLP is a poor security countermeasure against the Wikileaks class of data breach. Network DLP can network-intercept but not analyze obfuscated data (encryption, embedded screenshots, steganography) and is blind to removable media and smart phones. The best technical countermeasure against a leak must be at the point of data use. First described in a 1983 DOD study called “The Trusted Computer System Evaluation Criteria” (TCSEC)  a user end point needs to be “instrumented” in order to identify and intercept content and mitigate threats before they can occur. This requires identification of the trusted user, appropriate content interception and analysis and the ability to tie the results into actionable forensics. Detecting data loss at the end point, is notably Verdasys’s key strength.

However – there are a few  points in the article that need to be addressed:

Insider theft of sensitive data is not new. WikiLeaks is just the latest outlet for the disaffected individual to be amplified in our interconnected world… WikiLeaks is merely the latest enabler of the populist-driven “Robin Hood” syndrome.

I don’t subscribe to the notion that data theft has always been an issue.   20 years ago, we had industrial espionage of trade secrets or national espionage of defense secrets – not the widespread data leaks we see today.  Conditions in 2011 are different then they were in the 80s when my father worked at TRW Defense and Space Systems in Redondo Beach.  Data breaches are driven by motive, means and opportunity – motive: under 30 something people have a sense of entitlement – they have a Blackberry, a nice car, a nice girlfriend, good standard of living, a 250K college education and a sense that they can do whatever they want without paying the price..  means – mobile and removable devices, Web services… opportunity – a leaker is in positions of access. Given the right stimulus (hating Obama,  despising Hilary, liking a bribe from Der Spiegel) they will get to the data, leave their ethics at the door and do the deed. Calling the phenomena “Robin Hood” is too gracious.

Trade secret and IP theft is projected to double again by 2017 with 2008 losses reaching one trillion dollars!

The $1 Trillion number for the financial losses due to IP theft  was mentioned in a McAfee press release (they took  the item off their web site…) and later quoted by President Obama’s in his talk on “aggressively protecting intellectual property”.

Since the 1 trillion number is  the cornerstone of both vendor and political argumentation for protecting IP, the number bears closer scrutiny. We will see that the $1 trillion number is no more than a love for round numbers, not unlike Gordon Browns love for round numbers “Bring 1,000 troops home for Christmas”.

Referring to Bessen and Maurer “Patent  Failure” and other research articles, the empirical data shows a different picture. Global patents held by US firms as of 1999 was $122BN in 1992 dollars.  Even if that number tripled in 20 years that means that the total IP value is 360BN so it’s impossible that 1 Trillion was “lost”.  I will discuss what loss of IP actually means in a moment.

Examining firm level data, we see that worldwide value of patent stocks is only about 1% of market value.   Note that the majority of this value is owned by a small number of large pharmaceutical companies.   Then, we have to net out litigation and IP legal costs from the net patent rents (the above-normal returns) that a company earns from it’s IP.

And to provide a sanity check on how disproportionate the 1 Trillion dollar IP loss number really is, consider that at  GSK (and their numbers are consistent with the other big innovative pharmas) – cost of sales is 26% of expenses, marketing – 31% and R&D 15%.  Now we know 2 things: (a) that the big pharmas account for most of the IP and (b) most of their money is in sales and marketing. If 10 big pharmas with a total of 100BN operating profit had lost a Trillion dollars, they would all be bankrupt by now,  but they are all alive and kicking and selling us everything from Viagra to Remicade.

What does the loss of intellectual property actually mean?  After all, it’s not like losing cash.

In a threat analysis I did for a NASDAQ traded firm with significant IP – I determined together with the CFO and the board that their exposure to IP leakage was about 1% of their market cap – they understood that you cannot “lose” IP – but when it’s leaked it goes to a competitor who may gain a time to market advantage – and that advantage is only temporary.   At another public firm where I did a threat analysis using the same methodology, the CEO and board determined that the exposure to IP theft was negligible since the competitors needed 12-18 months to implement stolen IP and since the firm was operating on a 12 month product release cycle, they were ahead of the competition who were using stolen IP.  In other words – it’s better to innovate than to steal and try to re-implement.  This is particularly true in the software industry where the cost of implementation is far higher than the time and cost to develop the algorithm.

Reading Bill’s article, one would naturally ask, given the magnitude of the problem and the effectiveness of Verdasys technology, why doesn’t every company in the world deploy end point DLP like they deploy a firewall.  I think that the answer lies in the actual magnitude of the financial impact of data leakage.   The State department cables Wikileaks disclosure may or may not have been orchestrated by the Obama administration itself – but arguably, no economic damage and no tangible damage was incurred to the US political image or image of it’s allies.  If  real damage had been done to the US, then Hilary would be keeping Jonathan Pollard company.

I think that Verdasys and other DLP vendors miss one of the key strengths of data loss detection/prevention technology: real time feedback to an organizations users, and the deterrent value.   As Andy Grove once wrote – “a little fear in the workplace is not necessarily a bad thing“.

With increasing consumerization of IT, entitled employees will have even more means at their disposal and even more blurring of business boundaries by sexy personal devices.

What is a company to do?  That leaves us with good management and a corporate culture with employee values of competitiveness that drives value that drives rewards both intangible and tangible for the employee.  If it’s just about the money – then an iPhone is worth a lot more than a $500 bonus but engendering a sense of being involved and influencing the business at all levels – even if it’s just a kind word once a day – will be worth 100 fold that number and go a long way towards mitigating the vulnerability of employee entitlement.

I’d like to conclude with a call to the marketeers at McAfee, Symantec, IBM, Oracle, Websense, Fidelis, Checkpoint and Verdasys. Let’s shift the DLP marketing focus from large federal customers and banks and explain to small to medium sized enterprises how DLP technologies can protect the value of their implementation techniques and intellectual property.

For a 10 man vaccine startup the secret is in the recipe, not in the patents.  For a SME with IP – it’s not the IP licensing value, it’s difference between life and death.  And death trumps money any day of the week.

You can download the paper “Protecting Against WikiLeaks Events and the Insider Threat” on the Verdasys Web site.

Sex – despite the huge volume of content in the digital and print media, is one of those phenomena that demonstrate an inverse relationship between substance and talk.    The more talk, chances are, the less substance actually going on. The less talk, the higher a probability that something serious is really going on between you and your partner.  When things are cooking for you and your wife/girl friend  you don’t have time to be writing about it on your blog. When things are rough,  you will probably be a bit shy about going into detail on Facebook.  But it’s a lot easier to talk about other people, who’s hot and who’s not.

Just like data security and global terror.  It’s a lot easier to talk about the Middle East and ignore what’s happening in your own backyard.   It’s like  ”other peoples money” – something you can spend without worrying too much.

Using this metaphor, the data security industry is like sex.   Lots of talk and press releases about data breaches, plenty of marketing communications written by clueless communications majors just out of school working for Symantec and Mcafee and recycling of Gartner reports ad nauseum.  But – a lot less in the vulnerability and risk mitigation department and generally low levels of willingness to talk about security failures in an organization or what really works.

Since this is part of the human chemistry – I don’t imagine this will change in the near future but for sure we will have a lot of fun, just like great sex.

I think we’re ignoring the emotional content of security and I don’t necessarily mean FUD (fear uncertainty and doubt).

Perhaps it’s time to reconstruct market boundaries of the security industry.

At the beginning, there was the notion of “selling security with FUD“, starting with anti-virus and peaking in the early 90s with the outbreak of RPC worms on Wall Street. It was pretty easy to sell security with FUD tactics. Then we had 9/11.   You couldn’t frighten people anymore.   Security FUD doesn’t work when the customer thinks he might be killed by an Al Qaeda or Hamas or Fatah terrorist.

Then there was the “selling security as an enabler” play, sponsored by Gartner, ISACA and a bunch of other people.  This sort of made sense – but the number of real use cases where security actually enables new business (VPN, secure ecommerce sites) is rather limited and besides, the big IT vendors can build (or at least purport to build) security into their products. Educating customers on “security as a business enabler“ is a wonderful example of how market education  pays off at the beginning of a new product life-cycle launch, but low or no benefits at all when the product has mainstreamed into general market acceptance and everyone is selling and buying.

A good example of a product that mainstreamed extremely quickly is the Apple iPad,  Now after CES  we have dozens of mobile tablets, Android tablets, Windows Mobile tablets, Ubuntu tablets alternatives of all shapes, sizes and qualities. No one is questioning that a tablet is a great thing – Apple already did the market education for the other vendors.

Market education of  CEOs to the business  advantages of data security is like motherhood and apple pie, it’s a good thing. Similar to the tablet PC case, however, this sort of market education has zero or low ROI – because the CEO has already decided to buy or not buy security based on what someone else said – whether its’ Perot Outsourcing services, IBM, Oracle or his golf-partner.

Consultants explaining to a CEO that security is a business enabler are selling the same security coolade as Oracle, IBM, ISACA and SAP. The only problem is that a security  consultant doesn’t sell a product, but bolt-on/after sale services – and generally doesn’t get compensated for his deep security insights over coffee.

Let’s note that the information security industry is an industry like most other industries:

• They define their industry similarly, focusing on being the best.
• They look at accepted strategic groups of buyer and market segments, for example CSOs and firewalls
• They focus on the same buyer groups – e.g influencers (security officers, CIOs, analysts and thought leaders)
• They define the scope of products similarly- data security, firewalls, DLP, software security assessments etc..
• They focus on the same point in time and current competitive threats in formulating strategy; now it’s cloud, last year was DLP etc…

But there is one factor we are missing and that is emotion:

Does the security industry accept the functional/emotional orientation of their buyers?

I’m not sure.  And that – will be the topic for the next post

Malicious Attack on the message

The beauty of  HTTP Web Services is that traffic flows through port 80 and port 443 and it uses a human-readable format (XML or JSON). This is also the key vulnerability.  A typical IT / system administration approach that relies on protecting Web service providers with a firewall/IPS setup is not very effective.  We will explain why.

Firewalls do a good job of port monitoring and recognizing brute force malicious attack but are not good at being able to view the content of messages in order to detect and prevent more sophisticated security compromises. While most firewalls can recognize SOAP as well-formed HTTP traffic they cannot inspect the actual content of the SOAP message or JSON data. Web Services interfaces are much more complex than Web site interfaces which exchange HTML pages and forms. Web service interfaces are like software API’s and expose database functionality. In addition, an attacker has more information available to them. The message is often self-describing and clearly shows the data elements.

A Web service provider is a juicy, self-describing target.

Replay Attack
Similar to Denial of Service, replay attacks involve copying valid messages and repeatedly sending them to a service. Similar techniques for detecting and handling Denial of Service can be applied towards replay attacks. In some ways, replay attacks are easier to detect with Web Services because payload information is more readily available. With the right tools, patterns can be detected more easily even if the same or similar payload is being sent across multiple mediums like HTTP, HTTPS, SMTP, etc.

Buffer Overflow
An attacker can send a parameter that is longer than the program can handle, causing the service to crash or for the system to execute undesired code supplied by the attacker. A typical method of attack is to send an overly long request, for instance, a password with many more characters than expected. Similar to buffer overflow attacks; hackers often send malformed content to produce a similar effect. Sending in strings such as quotes, open parentheses and wildcards can often confuse a Web Service interface.

Dictionary Attack
Dictionary attacks are common where a hacker may either manually or programmatically guess passwords to gain entry into the system. Administrators should ensure that passwords are difficult to guess and are changed often.

Intrusion Detection of attacks by malicious outsiders
Proactively securing all of the possible misuses of Web Services is almost impossible. Security policies and strict access control management should help reduce the occurrence of intrusion. An IPS will detect anomalous attack behavior and if monitored may help the security team mitigate the threat.

Extrusion detection of attacks by trusted insiders
Attackers are usually thought to be outside of the organization. However, most security breaches occur from within the organization. With Web Services, more functionality is available to a more people. Access to confidential information or embezzlement of funds is just some of the possible internal security breaches that can be performed by employees or former employees. Because employees are the most familiar with internal systems, detection can be made extremely difficult. Unintentional compromises are also possible. If an interface is unsecured, an employee may accidentally access information that they are not intended to view. Since Firewalls are insufficient for data breach, we would require use of a DLP –  Data loss  prevention system such as Fidelis XPS or WebSense DLP.

Threat containment
Once a security breach is detected, being able to shut down systems and reject traffic from specific sources are important for handling a compromise.  A DLP system provides real-time detection, forensics recording and  the ability to drop traffic from specific IP source addresses in order to properly mitigate the threat.

In a burst of wikipanic, Bank of America has dived into full-on counterespionage mode…15 to 20 bank officials, along with consulting firm Booz Allen Hamilton, will be “scouring thousands of documents in the event that they become public, reviewing every case where a computer has gone missing and hunting for any sign that its systems might have been compromised.”

Interesting that they needed Booz and Hamilton.  I thought Bank of America was a Vontu DLP (now Symantec) customer.  It says something about the technology either not working, being discarded or simply not implemented properly because the Wikileaks announcement was made in October 2009. So it took BoA over a year to respond.  Good luck finding forensics over a year after the leak happened.

This is a good thing for information security consultants and solution providers, especially if it drives companies to invest in DLP. There are some good technologies out there and companies that implement DLP thoughtfully (even if for dubious reasons) will be profiting from the improved visibility into transactions on their network and better protection of IP and customer data.

Ethics of the bank executive aside, it is conceivable (albeit totally speculative), that the Obama administration is behind the Wikileaks disclosures on US banking. It is consistent with the Obama policy that required banks to accept TARP funds and stress testing in order to make the financial institutions more beholden to the Federal government. This is consistent with the State Department cables leak, which also appears (from my vantage point in the Middle East) to be deliberately disclosed to Wikileaks in order further the agenda against the Iranians without coming out and saying so specifically.

Web applications have fundamental vulnerabilities. HTTP is the cloud protocol of choice for everything from file backup in the cloud to Sales force management in the cloud. HTTP and HTML evolved from a protocol for static file delivery to a protocol for 2 way applications – a purpose for which they  were never designed; let’s examine some of the data security issues with the current rich content Web 2.0 model:

1. The multiple layers at the server side from db server to Web server or App server are vulnerable to attack since the Web application passes messages to the data tier through several interfaces in order to execute SQL.  The interfaces are vulnerable, in particular to SQL injection

2. HTTP is a stateless protocol. As a result, the simplest kind of Ajax application generates dozens of http transactions between the client and the server. The simplest autocomplete floods the pipe with Ajax transactions.  If you have ever put a sniffer like Wireshark on the line you will see this.  The rich interactivity on the client with Ajax generates a huge, disproportionate amount of traffic and a high price tag for simple operations.   For example – in a tcp socket-socket link, if you want to know if there are new mail messages, no polling is required and the message length is just a few bytes. This is primarily a latency and load issue on the cloud computing infrastructure but also creates additional difficulties in detecting data loss and opens the door for network-based attacks such as a slow POST DDOS attack.

3. Passing messages between remote process (client and server) inside the query string is patently a bad idea that is not remedied by using https (although if you pass privacy data in a query string you must use https). It is a bad idea because it is fragile (may break on software changes) and vulnerable to any number of software bugs and exploits from buffer overflow to sql injection to simple query hacking.  To get a feel for the order of magnitude of the problem, just google for web application security.

The current rich Web 2.0 model is broken, not because Javascript or PHP are bad, it’s just that the existing Web application stack on server and client is a bad fit to the world of applications.

There is little free market demand for software security. The key demand-side driver for cloud computing is that it is a service that can be consumed at a  variable cost like a utility. We might think that with all the headlines on data security breaches,  that consumers would be discerning about the security of the service.  However,  data loss risk is negligible in a consumer buying decision since people use applications based on their utility and productivity and beauty of the UI not because of their security, since we all assume that the security is built-in.  The cloud model requires the consumer to consider impact of data loss, similar to considering the impact of a power spike on home appliances with digital controllers.  Data security in the cloud won’t happen by itself.

Enforcing data security in the cloud is harder than in the enterprise. Trusted insiders can exploit application vulnerabilities no matter where the application runs.  However, our ability to detect data loss inside the cloud is far less than our ability to detect data loss inside an office network and more expensive to mitigate in a virtualized operating system environment.

Inside an enterprise network, you can put procedural, network monitoring and DLP solutions into place, however the same security countermeasures may not be supported by your cloud provider as a standard item.   By implementing custom countermeasures in the cloud, you won’t enjoy the economy of scale of a shared, virtualized infrastructure nor benefit from the experience curve of the cloud service provider.  It will become your problem.

Data security is about economics. If you want guaranteed service levels on the security of your IP and customer data that you store in a SaaS system, you need to RFP and negotiate the appropriate contract and security countermeasures (encrypting data at rest and in motion, employee monitoring, key management, data loss prevention, malicious software detection and more).  Compliance with PCI DSS 2.0 and HIPAA may come at additional cost.

Data security in the cloud is a cost borne upstream by the customer and downstream by the cloud provider.

From a cloud service provider perspective, note that there are high fixed costs involved in providing capacity, customer support and secure infrastructure while the revenue from consumers is variable. Consumers that adopt a hybrid model for cloud delivery will have additional fixed and variable costs of operation.

In order to protect your data in the cloud, I suggest adopting some common-sense best practices:

• Before moving your application to the cloud, do some attack modeling and consider the value of your assets to be stored in the cloud, versus the cloud service costs and custom security measures you may (or may not need) to implement
• Invest in software security. Remember that hackers attack your software, not your security procedures.
• After you set a budget, choose a cloud service according to your threat model and read their dotted line on data security before committing