Per my previous post, it seems that there is suddenly a lot of discussion in the security blogosphere about cloud computing and the security (or lack) thereof. Seems a number of people have taken note of Microsoft’s entry (Azure) into Data Center business development. A lot of really good questions are being asked.
How are these environments going to be secured? I have yet to see anything solid provided. Evidently vendors are content to “wait” until businesspeople tell them what they want. What if they never ask? Where is there a baseline for systems? Access controls? Dare I say “secure software development lifecycle?”
For some painful laughter, try reading a poetic critique of cloud computing here from Christopher Hoff.
Follow that up with a dose of reality as to the real origin of “cloud” computing from Reuven Cohen:
I hate to tell you this, it wasn’t Amazon, IBM or even Sun who invented cloud computing. It was criminal technologists, mostly from eastern Europe who did. Looking back to the late 90’s and the use of decentralized “warez” darknets. These original private “clouds” are the first true cloud computing infrastructures seen in the wild. Even way back then the criminal syndicates had developed “service oriented architectures” and federated id systems including advanced encryption. It has taken more then 10 years before we actually started to see this type of sophisticated decentralization to start being adopted by traditional enterprises.
and you begin to see the general take on cloud computing as it is currently being described. I like “thin client” computing. You can put a lot of controls in place that allow a user to have a desktop of their own AND not allow any malware in beyond the next reboot. It makes me nervous to think about some big corporation holding all my data, but banks do it all the time with mainframe applications. That’s where Metavante and Jack Henry, for instance, make their money.
But how do we audit these clouds? It still comes down to WHO has ACCESS to WHAT.