Not too many decades ago, computers were easy to secure because they came in their own large well-guarded rooms. The “high priests” of the computer room would take in punch cards at the glass window control point, and as long as the paper holding the code was not folded, spindled or mutilated, it might be read by a Hollerith reader and run on the machine. Only one program ran at a time. Of course if your code had a bug in it, it would...
be rejected from the room to be debugged hours or days later when the high priests gave it back. (FWIW, carefully designing, constructing, and desk checking code was standard practice when punch cards ruled the day; imagine every compiler run taking two to three days.)
Then came the mad dash from time-sharing systems to minicomputers to personal computers to mobile devices. Debugging code on your own machine became a much messier process that happened as fast as the (slow) humans could do it. No more waiting for the blessings of the high priests or the world’s slowest compiler. No need to understand how computers and technology stacks actually work when it became cheap to just run the code and see what happens. Even running other people’s programs was easy. Security slid down the slippery slope from trivial to nigh on impossible as the perimeter dissolved.
Now we have the cloud, the perimeter has disappeared entirely, and we’re once again submitting our code to the high priests -- now Google, Amazon, Microsoft and others -- to run.
What happened? And do we at least get security as a side effect? What are the cloud computing pros and cons for security?
A brief history of (computational) time
When computers took up a room and ran one program at a time, they were as easy to secure as they were expensive. Only highly trained people were allowed access to the machines, and they were always the deepest of geeks. Computing cycles were expensive and rare, but the perimeter was obvious and easy to lock down -- as easy as locking a door.
Then came time-sharing systems with “dumb terminals” like the ADM5 and the VT100 connected with wires to the mainframe (running VMS or Ultrix). Multiple users could run their programs on the same machine, sharing slices of time. Machines and their cycles were still very expensive and so there were few of them, and they were big. But cycles were getting cheaper every year, and the terminals were slowly inching their way out into the world.
Likewise, computer security escaped the room. Since the terminals were all within wiring distance of the mainframe (usually collected in a terminal room), and users required usernames and passwords (and were forced to authenticate) to use the machine, security was somewhat manageable. Not many people actually used computers.
Then the core machines escaped the room, joined up with the terminals and started getting even cheaper. However, storage was still expensive and large. Multi-user machines had “accounts” which usually had “quotas” of disk space. Twenty megs of storage seemed like a lot in the late ‘80s. Storage was collected in room-sized disk farms and managed like the mainframes of the old days. Cycles were free, but disk space was expensive. Perimeter security held on by its fingernails.
About the [In]security column:
This monthly security column by Gary McGraw started life in print in IT Architect and Network magazines and was originally called “[In]security.” That was back in October 2004. The column then transitioned into Web content at several publications before finding a home at SearchSecurity. You can always find pointers to the complete [In]security series on McGraw’s writing page. Your feedback on the column is greatly appreciated.
The nail in the coffin of easy perimeter security came, like Cerberus, with three heads: the PC, the users and the Internet. Early PC’s like the Apple ][+ and the IBM PC Junior had no hard disk space. They used floppies or cassette tapes for long-term storage; it took lots of floppy disks to hold lots of records. Hard disks were expensive and were also the size of dishwashers. Soon that changed. The IBM AT came with a brick-sized 20 Mb hard disk in 1986. Disk space started shrinking, and eventually got as cheap as computational cycles -- essentially free.
Now cycles and storage are both free, but we’re faced with a basic management problem. That is, cycles and disk space may be free, but having (ops) geeks manage machines is still expensive and hard -- especially when you factor in security.
Resolved: The cloud is good for security
Does every small- and medium-sized business in the world need computers to survive? Yes. Can every SMB afford enough ops geeks to manage the computers they need? Nope. (Especially when it comes to security, which is very tricky and takes real expertise.) And there you have it: Cloud computing boils down to cheaper, better ops geeks and instant demand for cloud computing by most every SMB.
Fact of the matter is the sys admins and security ops people at Google, Amazon, Salesforce.com and Microsoft are not just a little better than the standard-issue SMB ops geek, they are orders of magnitude better. Imagine the choice between having a world-class ops team behind your business operations versus hiring the second-cousin of some local IT guy who just graduated from community college.
Note the same argument does not currently hold for large enterprises, where internal IT staff is both world-class and already highly professionalized. For the most part, the enterprise security operations machine is well oiled and efficient, but as I’ve written previously, the SMB situation is different:
Ever wonder who owns those millions of rooted machines that are regularly put together into gigantic botnets by cybercriminals? The most likely answer is your relatives and your favorite local businesses. Cloud security can help. The more consumers and SMBs move their computing to the cloud, the better off we'll all be… By adopting cloud services, SMBs and consumers can instantly and automatically improve their network security posture (accelerating from their current likely-to-be-busted state to patching unpatched systems, using modern equipment and monitoring for security intrusion).
In my view, cloud computing will improve computer security on planet earth, mostly because of this SMB computer security ops relief.
Resolved: The cloud is terrible for security
The problem is the applications we need. When we write non-generic apps for all of the different flavors of SMBs out there, we introduce the Achilles’ heel of cloud security. Put simply, building secure applications for the cloud is just as difficult as building secure applications anywhere else. Sadly, this is a fact the cloud computing vendors either don’t understand or are just plain lying about.
The problem is the cloud vendors have by and large confused application security with a thing -- crypto. We all know security is a property and not a thing. Well, all of us except the cloud vendors. The cloud vendors still believe in the liberal application of magic crypto fairy dust. This kind of security approach didn’t make apps any more secure when we used crypto on links between mainframes, or when we added it to the Web, or when we added it to wireless, or when we added to data at rest. Continued blind faith in crypto fairy dust approaches the definition of insanity.
The good news is we are making great progress in software security. The bad news is we may be able to outsource security ops to the cloud vendors, but there is no sign that we can do the same for application security.
My bottom line on this holds:
Bottom line when it comes to building applications on the cloud? Get some professional help. Really. And whatever you do, don't believe the magic crypto fairy dust the cloud vendors are peddling will magically solve all of your problems.
Stopping cloud computing is just about as futile as trying to convince the world to go back to the mainframe days (um, no wait...that’s not what I meant to say!). The cloud is cheap, and the rental ops guys are very good indeed. Cycles and storage are basically free, so why buy the things?
So when your company adopts cloud computing (not if, but when), don’t forget to think hard about software security. Don’t buy the cloud vendor nonsense about magic crypto fairy dust! Put on your thinking caps and approach software security in the cloud exactly the same way you would aproach it back when you owned the machines you ran code on.
If you would like to see some bona-fide security geeks (including me) argue through these issues, check out this video of the April 7 cloud security panel hosted by NIST in Gaithersburg, Md.