25 September 2009

My security head's in the clouds

Craig Balding at CloudSecurity.org has posted a gem of a presentation on the state of security in cloud computing (it's a presentation he gave at something called BruCon, a security (and beer!) conference in Brussels.) It's well worth reading for an overview of what cloud computing means for security practitioners.

One item that struck me was his slide 56. The slide asks "When's the revolution?" -- to wit, when's the revolution in web security technology to match the revolution in web application technology? The answer to web security still seems to be "SSL and Firewalls".  Way back in 2002, I sat on the security panel at the Next Generation Web Services Summit. Chad Dickerson of etsy, the moderator and back then CTO at InfoWorld, asked about the role of SSL in web services security. I answered that it doesn’t solve the problem. “If you [don't] encrypt your channel, you open yourself, but that is not sufficient.”1 SSL is an absolutely minimal level of security -- and here we are in 2009 still thinking that it's good enough. But SSL only can protect data in transit from being snooped between the customer and the provider -- or more accurately, between the customer's last proxy and the provider's first proxy.

You think you've got end-to-end SSL, but in truth you don't.

It's not that SSL is a bad idea -- it's not! -- it's 'necessary but not sufficient'. It does nothing to address a host of other issues: data integrity, repudiation, data loss, data comingling, availability, and so on.

Anyway, read the rest of his presentation for a good overview of the state of things, including the implications of virtualization, why cloud computing is or isn't just outsourcing, and the current dearth of research into cloud-specific security vulnerabilities.