For many companies, cloud computing sounds like risky business. They worry that storing customer details or running critical software on the servers of cloud providers such as Amazon or Google could make their data more vulnerable to being hacked, exposed, or lost. A lot of data in the cloud resides on shared servers—think public data dormitories—where only virtual walls might separate one company’s bits from those of its competitors.
Yet such fears are misplaced, says Jeremiah Grossman, founder of WhiteHat Security, which advises companies such as credit rater Fair Isaac and prescription giant CVS Caremark on their Web security. Grossman, a former information security officer for Yahoo, offered some advice about the cloud in an interview with Technology Review’s deputy editor, Brian Bergstein.
TR: Why do you think there are security advantages in going to the cloud?
Grossman: The average enterprise, whether you’re talking small, medium, or the largest of the large—they’re in their respective businesses. A bank isn’t in the business of technology. A retailer isn’t in the business of managing IT infrastructure. A service provider like an Amazon, they have very particular skills [at] making really secure infrastructures. What you get from a cloud provider is economies of scale—and somebody else to manage the problem.
This is the most ingenious hacker attack on the cloud that I’ve heard of: someone hires a cloud provider to run a Web application on a shared server and then “bursts the cloud” to infect other users of the same machine. Is this merely a theoretical attack, or has it been done?
It’s theoretical in the sense that we’ve never heard of it being done in the wild. We have seen different types of attacks in which it’s possible to break out of the virtualized containers [in which each cloud client’s data resides]. They’re quickly patched, but it is entirely possible. It is probably not a likely attack, because there are vectors that are way easier to do. But you should assume that the separation between clients is going to break down. You’re going to want to be resilient under those scenarios, [in part by setting rules about encrypting data and] who can get access to it.
Then what’s your worst-case scenario for organizations that shift to the cloud?
From a business standpoint, if you’re running the system yourself, you have a notion of resiliency, meaning—in the event of a catastrophe, whether a natural disaster or a business bankruptcy—you kind of have control of the infrastructure. You don’t have a lot of control when it comes to the cloud providers should they go out of business, should they be acquired by your nearest competitor. All of a sudden your cloud provider, which your business depends on, evaporates and goes away. What’s your contingency plan? That’s a major consideration.
Some CIOs are likely to run aspects of their websites in the cloud but retain control of some key applications. Is there a security issue raised in the handoff between a cloud service and someone’s on-premises systems?
That’s actually how it’s going to be for the vast majority of businesses out there: “I’m going to host my own website, but all my payments are going to run through a third party.” There’s a lot of benefit to doing that, but there’s also complexity to the situation. Complexity tends to be the enemy of security. The more complex you make your data flow—the more complex you make the systems and all the interconnects—the more difficult it is to manage it, understand it, and mitigate all the threats.
The big new idea for making self-driving cars that can go anywhere
The mainstream approach to driverless cars is slow and difficult. These startups think going all-in on AI will get there faster.
Inside Charm Industrial’s big bet on corn stalks for carbon removal
The startup used plant matter and bio-oil to sequester thousands of tons of carbon. The question now is how reliable, scalable, and economical this approach will prove.
The dark secret behind those cute AI-generated animal images
Google Brain has revealed its own image-making AI, called Imagen. But don't expect to see anything that isn't wholesome.
The hype around DeepMind’s new AI model misses what’s actually cool about it
Some worry that the chatter about these tools is doing the whole field a disservice.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.