Cloud Security, Full of Holes and Bugs?

Maybe not full of holes, but certainly the Cloud requires us to think carefully about what we are doing. Mel Beckman addresses the top 5 vulnerabilities of the cloud:

Each of the three cloud service models has at minimum one unique security vulnerability, and cloud services in general share a couple of serious security risks. I’ve found five vulnerabilities that are significant because they’re so often overlooked, even when they’re easily addressed.

Mel cites inadequate passwords and the need for multifactor authentication, a problem which hackers are all too ready to exploit. Add the need for encryption of the cloud conversation (including authentication) using something like SSL 3.0. Then there are factors only your cloud vendor can control, but you need to confirm: the virtual server “snapshot problem” where others have access to virtual memory pages including all encryption keys; backup redundancy (does your backup provider back up its own datacenters and how well); and treatment of API keys as data rather than keys to be secured. For the full explanation of each vulnerability and how to address it, please read the full article.

Charles Babcock finds a security bug caused a major cloud service outage at Microsoft.

A process meant to detect failed hardware in Microsoft’s Azure cloud was inadvertently triggered by a Leap Day software bug that set invalid expiration dates for security certificates. The bad certificates caused virtual machine startups to stall, which in turn generated more and more readings of hardware failure until Microsoft had a full-blown service outage on its hands.

The bug was part of a customer workload, reminding us that in the cloud your neighbors’ bad habits affect you. Given the nature of the bug, any regression test from the Y2K days should have captured it. One customer neglected this old standby quality requirement impacting Microsoft and many of its customers.

Art Wittmann puts it all into perspective regarding what to consider before using the cloud, before wrapping your head around the above risks of using the cloud properly and safely.

If you’re a weekend warrior and you need a tile saw, jack hammer, or concrete chainsaw for a small project, you go rent one, even though you know that a single weekend’s rental price is probably a quarter of the price to buy the tool. But if you lay tile for a living, you buy your own tile saw. The point is that for very infrequent use, the price of the rented tool almost doesn’t matter. You need it when you need it, and you don’t want to own it under almost any circumstance. If you have computing needs like that, the cloud is for you.

He identifies very creative use of the cloud for development and proof of concept activities prior to moving production in house, as well as using the cloud for “burst mode” capacity needs for a limited timeframe. The idea is to be flexible and creative about using the cloud, but do not forget about the advantages of on premises for your day to day workloads.

This entry was posted in Cloud computing. Bookmark the permalink.

Leave a Reply