I came across two very interesting and concerning studies on cloud computing–one from last year and the other from last month.
Here is a white paper by London-based Context Information Security (March 2011)
Context rented space from various cloud providers and tested their security.
Overall, it found that the cloud providers failed in 41% of the tests and that tests were prohibited in another 34% of the cases –leaving a pass rate of just 25%!
The major security issue was a failure to securely separate client nodes, resulting in the ability to “view data held on other service users’ disk and to extract data including usernames and passwords, client data, and database contents.”
The study found that “at least some of the unease felt about securing the Cloud is justified.”
Context recommends that clients moving to the cloud should:
1) Encrypt–“Use encryption on hard disks and network traffic between nodes.”
2) Firewall–“All networks that a node has access to…should be treated as hostile and should be protected by host-based firewalls.”
2) Harden–“Default nodes provisioned by the Cloud providers should not be trusted as being secure; clients should security harden these nodes themselves.”
I found another interesting post on “dirty disks” by Context (24 April 2012), which describes another cloud vulnerability that results in remnant client data being left behind, which then become vulnerable to others harvesting and exploiting this information.
In response to ongoing fears about the cloud, some are choosing to have separate air-gaped machines, even caged off, at their cloud providers facilities in order to physically separate their infrastructure and data–but if this is their way to currently secure the data, then is this really even cloud or maybe we should more accurately call it a faux cloud?
While Cloud Computing may hold tremendous cost-saving potential and efficiencies, we need to tread carefully, as the skies are not yet all clear from a security perspective with the cloud.
Clouds can lead the way–like for the Israelites traveling with G-d through the desert for 40 years or they can bring terrible destruction like when it rained for 40 days and nights in the Great Flood in the time of Noah.
The question for us is are we traveling on the cloud computing road to the promised land or is there a great destruction that awaits in a still immature and insecure cloud computing playing field?
(Source Photo: here with attribution to freefotouk)