The following post is excerpted from an article that I co-authored with Anup Ghosh, founder and chief scientist at Invincea, to introduce a recent issue of IEEE Security & Privacy that focused on Cloud Computing Security. In the article, we present the economic benefits of cloud computing as well as the security and privacy risks inherent to cloud computing and inherited from traditional computing models. Excerpt from "In Cloud Computing We Trust - But Should We?" IEEE Security & Privacy, Nov. - Dec. 2010: Clearly, moving to a cloud-based computing paradigm presents new security and privacy challenges.
While it might not be immediately evident what those challenges are, some of them will be inherent to the cloud-based model, while others will be inherited from existing computing models that are either used in cloud computing or interconnected with it. For example, security practitioners have traditionally mapped intangible assets such as proprietary data, algorithms, and other intellectual property to tangible, physical ones such as specific computer hardware, IP addresses, storage systems, or network equipment. In a cloud-based service, this mapping, which previously was used to "secure" fixed assets later in order to manage the risks of intangible assets, no longer applies because the mapping is dynamic. In this context, pooling data storage resources and their use through APIs that abstract the actual physical medium pose threats at the data deduplication, location, retrieval, and processing layers that can't be easily mapped to any particular group of tangible assets in a cloud computing environment.
This forces security practitioners to rethink their data security practices and solutions in light of a risk scenario previously unaccounted for that is inherent to the cloud model. On the other hand, cloud-based computing will also inherit risk from standard desktop, server, and mobile computing models and from a large menu of other known components that cloud computing providers combine to build their infrastructure and to deliver services. For instance, a PHP Web application running on cloud-located servers with a standard COTS operating system and globally accessible via Wi-Fi or 3G networking using Web browsers on desktop computers and smart mobile devices will be vulnerable to all the known threats of each of the component technologies, plus have the additional risk resultant from combining them together in a service. To the security practitioner, identifying and understanding the inherent risks of cloud computing while grappling with the inherited risks from an interconnected infrastructure and common vulnerable components may seem academic to some and daunting to others. Regardless, adopting cloud-based computing services will require knowledge of these risks and a risk management strategy to address them appropriately.
While we won't prognosticate what challenges lie ahead in security and privacy for cloud computing, we can be certain that many will emerge. It will be imperative for cloud service providers to be as transparent as possible about these challenges and risks as they develop for the industry to mature. As in every other market and industry that adopts inter-networked computing, security challenges always emerge, and almost always security is "bolted on" after the fact, rather than designed in from the start. The opportunity to build security in from a clean sheet should not be lost on the technical security community.