Skip to Content

Being Smart about Cloud Security

An authority on Web security believes your data might be safer in the cloud.
October 4, 2011

For many companies, cloud computing sounds like risky business. They worry that storing customer details or running critical software on the servers of cloud providers such as Amazon or Google could make their data more vulnerable to being hacked, exposed, or lost. A lot of data in the cloud resides on shared servers—think public data dormitories—where only virtual walls might separate one company’s bits from those of its competitors.

Data detective: Security expert Jeremiah Grossman says fears over cloud computing are overblown.

Yet such fears are misplaced, says Jeremiah Grossman, founder of WhiteHat Security, which advises companies such as credit rater Fair Isaac and prescription giant CVS Caremark on their Web security. Grossman, a former information security officer for Yahoo, offered some advice about the cloud in an interview with Technology Review’s deputy editor, Brian Bergstein.

TR: Why do you think there are security advantages in going to the cloud?

Grossman: The average enterprise, whether you’re talking small, medium, or the largest of the large—they’re in their respective businesses. A bank isn’t in the business of technology. A retailer isn’t in the business of managing IT infrastructure. A service provider like an Amazon, they have very particular skills [at] making really secure infrastructures. What you get from a cloud provider is economies of scale—and somebody else to manage the problem.

This is the most ingenious hacker attack on the cloud that I’ve heard of: someone hires a cloud provider to run a Web application on a shared server and then “bursts the cloud” to infect other users of the same machine. Is this merely a theoretical attack, or has it been done? 

It’s theoretical in the sense that we’ve never heard of it being done in the wild. We have seen different types of attacks in which it’s possible to break out of the virtualized containers [in which each cloud client’s data resides]. They’re quickly patched, but it is entirely possible. It is probably not a likely attack, because there are vectors that are way easier to do. But you should assume that the separation between clients is going to break down. You’re going to want to be resilient under those scenarios, [in part by setting rules about encrypting data and] who can get access to it.

Then what’s your worst-case scenario for organizations that shift to the cloud?

From a business standpoint, if you’re running the system yourself, you have a notion of resiliency, meaning—in the event of a catastrophe, whether a natural disaster or a business bankruptcy—you kind of have control of the infrastructure. You don’t have a lot of control when it comes to the cloud providers should they go out of business, should they be acquired by your nearest competitor. All of a sudden your cloud provider, which your business depends on, evaporates and goes away. What’s your contingency plan? That’s a major consideration.

Some CIOs are likely to run aspects of their websites in the cloud but retain control of some key applications. Is there a security issue raised in the handoff between a cloud service and someone’s on-premises systems?

That’s actually how it’s going to be for the vast majority of businesses out there: “I’m going to host my own website, but all my payments are going to run through a third party.” There’s a lot of benefit to doing that, but there’s also complexity to the situation. Complexity tends to be the enemy of security. The more complex you make your data flow—the more complex you make the systems and all the interconnects—the more difficult it is to manage it, understand it, and mitigate all the threats.

Keep Reading

Most Popular

It’s time to retire the term “user”

The proliferation of AI means we need a new word.

The problem with plug-in hybrids? Their drivers.

Plug-in hybrids are often sold as a transition to EVs, but new data from Europe shows we’re still underestimating the emissions they produce.

Sam Altman says helpful agents are poised to become AI’s killer function

Open AI’s CEO says we won’t need new hardware or lots more training data to get there.

An AI startup made a hyperrealistic deepfake of me that’s so good it’s scary

Synthesia's new technology is impressive but raises big questions about a world where we increasingly can’t tell what’s real.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.