Cloud Security: Better Than We Think?

Cloud computing has flunked a security test, reports Tim Wilson at Dark Reading. That probably doesn't surprise you. Conventional wisdom says clouds are inherently insecure.

But are they? Or are clouds actually more secure than conventional IT environments? A growing number of technologists are making that argument. And they're not cloud vendors or marketers or startups who have placed their bet on the cloud. They're some of the senior-most technology officials in government, including those from intelligence agencies and the military, which might be the last place you'd expect to hear such talk.

The list of execs touting the security advantages of the cloud has grown to include federal CIO Steven VanRoekel; Gen. Keith Alexander, head of both the National Security Agency and U.S. Cyber Command; CIA CTO Gus Hunt; NIST security researchers Peter Mell and Dr. Ronald Ross; and former NSA director Adm. Mike McConnell.

Their comments on cloud security are often accompanied by the caveat, "if you do it right." In other words, cloud security only happens through a combination of vigilance, best practices, and technology, including encryption, patching, and monitoring.

The shift to the cloud is an opportunity to rethink security from the ground up, to re-architect networks and data centers in a way that closes existing gaps. The feds are helping agencies do this with a growing body of guidance such as NIST's 68-page document on cloud security and controls required as part of the forthcoming FedRAMP security authorization program.

CIA CTO Hunt talks about periodically and automatically moving workloads and reimaging machines as a way of creating a "polymorphic attack surface" that confuses would-be attackers, as they won't know what's running on which physical server at any point in time.

Hunt's not some IT lightweight, and the CIA can't afford to be cavalier about the security of its data and systems. "We're paranoid for a reason," Hunt told the audience at InformationWeek's GovCloud 2011 event in October. "They really are out to get us. And I'm not kidding about this, when secrets leak out, people die."

Alexander says cloud computing can improve patching across a network and bring other benefits. "You have better visibility and situational awareness," he said at a recent event hosted by the Defense Advanced Research Projects Agency. "More importantly, if you were to watch how we push out [patches] today, you would laugh or cry because it takes months. We need a dynamic way to do it, and the cloud lets us do it much quicker."

These concepts apply primarily to private, not public, clouds. Even so, NIST's Mell, one of the creators of the FedRAMP program, has argued that entrusting data to the world-class engineers at Amazon, Google, and Microsoft may be more secure than hosting the data in your own data center.

Not everyone is ready to buy into this line of thinking, of course. At a recent cybersecurity event in Baltimore, some attendees scoffed at Alexander's take on cloud security. Their counterargument: Consolidation and virtualization might make an IT environment more manageable, but they also create a bigger target for social engineering and other forms of attack.

And NIST, despite the optimism of its cloud researchers, offers its own words of warning. "The cloud computing environment presents unique security challenges," NIST writes in its recently released "cloud roadmap" document. "The architecture, potential scale, reliance on networking, degree of outsourcing, and shared resource aspects of the cloud computing model make it prudent to reexamine current security controls." Prudent? That's too soft. IT pros that don't pay close attention to security controls in the cloud are putting their organizations at extreme risk.

Done right, however, clouds may be more secure than old-style data centers. That's the view of influential IT leaders within the government's intelligence, defense, and civilian agencies. Maybe it's time to think more about the potential security benefits of the cloud, and not just about all that can go wrong.