Friday, October 24, 2008

Cloud Security

The biggest legitimate concerns I can think of for using applications hosted outside of the corporate infrastructure are integration, privacy and security.  Integration points might not be there yet, but they probably will be.  Getting locked in to any one service is not a great selling point.  As far as I can tell, privacy is mostly an issue that will take time for our legal systems to catch up with, if they ever do.  But the one that I just had an interesting thought about is security.

In general, a hosted service should probably be able to handle security better than an individual company.  They hold the data for all of their customers and their data centers will end up being huge, storage wise anyway.  They need to understand security and spend the resources on it to make sure it is up to the task.  But even large companies these days that know they need to have secure systems fail at this from time to time.  I tend to just start forgetting about the last 130,000 social security numbers that were leaked when news of a shipment of untold numbers credit card records disappears.

I was reflecting about how one reason why there are so many known security vulnerabilities in Microsoft products is because that is where people look for them because there are more computers to take advantage of those flaws on.  If more people used Macs, the world would be trying to break into OSX.  And don't kid yourself, viruses do exist for the Mac.  The Mac may really be more secure making it harder to find the flaws.  But as more people start using them, the viruses and other attacks will follow.  It reminds me of the Willie Sutton (mis)quote, "...because that's where the money is."

I also had been reading a bit about about cloud computing and I thought to myself, "Boy, won't all that centralized data be a tempting target."  Don't get me wrong I know that such services will have far fewer security vulnerabilities than the average business network.  But it only takes one flaw in your system found by one person of the many that will likely be heavily scrutinizing your network to bring it down.  

But I'm not saying that I feel this is a significant enough concern right now to keep me from using such services.  The flip side of that logic is that small networks won't get hacked as often simply because they will not be the focus of much attention.  To my nose, that just reeks of the security through obscurity principal.  It only takes one flaw out of the many your system might have to be found by the single person that happens to take a passing interest in your network to bring it down.

Most modern security practices make it unlikely that the whole system of a company so heavily invested in data and security would be disrupted, damaged or compromised all at once.  But every now and then a SQL Slammer is created that can affect computers across a system even as large as the internet.  Are the ingredients for such a fiasco likely to be present at the same time?  Not at all.  But let's just say that, if those circumstances should arise, the fallout of the first data service to get royally hacked could be spectacular. 

It was just a thought I had.

No comments:

Post a Comment