Skip to Content

Being Smart about Cloud Security

An authority on Web security believes your data might be safer in the cloud.
October 4, 2011

For many companies, cloud computing sounds like risky business. They worry that storing customer details or running critical software on the servers of cloud providers such as Amazon or Google could make their data more vulnerable to being hacked, exposed, or lost. A lot of data in the cloud resides on shared servers—think public data dormitories—where only virtual walls might separate one company’s bits from those of its competitors.

Data detective: Security expert Jeremiah Grossman says fears over cloud computing are overblown.

Yet such fears are misplaced, says Jeremiah Grossman, founder of WhiteHat Security, which advises companies such as credit rater Fair Isaac and prescription giant CVS Caremark on their Web security. Grossman, a former information security officer for Yahoo, offered some advice about the cloud in an interview with Technology Review’s deputy editor, Brian Bergstein.

TR: Why do you think there are security advantages in going to the cloud?

Grossman: The average enterprise, whether you’re talking small, medium, or the largest of the large—they’re in their respective businesses. A bank isn’t in the business of technology. A retailer isn’t in the business of managing IT infrastructure. A service provider like an Amazon, they have very particular skills [at] making really secure infrastructures. What you get from a cloud provider is economies of scale—and somebody else to manage the problem.

This is the most ingenious hacker attack on the cloud that I’ve heard of: someone hires a cloud provider to run a Web application on a shared server and then “bursts the cloud” to infect other users of the same machine. Is this merely a theoretical attack, or has it been done? 

It’s theoretical in the sense that we’ve never heard of it being done in the wild. We have seen different types of attacks in which it’s possible to break out of the virtualized containers [in which each cloud client’s data resides]. They’re quickly patched, but it is entirely possible. It is probably not a likely attack, because there are vectors that are way easier to do. But you should assume that the separation between clients is going to break down. You’re going to want to be resilient under those scenarios, [in part by setting rules about encrypting data and] who can get access to it.

Then what’s your worst-case scenario for organizations that shift to the cloud?

From a business standpoint, if you’re running the system yourself, you have a notion of resiliency, meaning—in the event of a catastrophe, whether a natural disaster or a business bankruptcy—you kind of have control of the infrastructure. You don’t have a lot of control when it comes to the cloud providers should they go out of business, should they be acquired by your nearest competitor. All of a sudden your cloud provider, which your business depends on, evaporates and goes away. What’s your contingency plan? That’s a major consideration.

Some CIOs are likely to run aspects of their websites in the cloud but retain control of some key applications. Is there a security issue raised in the handoff between a cloud service and someone’s on-premises systems?

That’s actually how it’s going to be for the vast majority of businesses out there: “I’m going to host my own website, but all my payments are going to run through a third party.” There’s a lot of benefit to doing that, but there’s also complexity to the situation. Complexity tends to be the enemy of security. The more complex you make your data flow—the more complex you make the systems and all the interconnects—the more difficult it is to manage it, understand it, and mitigate all the threats.

Keep Reading

Most Popular

SpaceX Starship
SpaceX Starship

How SpaceX’s massive Starship rocket might unlock the solar system—and beyond

With the first orbital test launch of Starship on the horizon, scientists are dreaming about what it might make possible— from trips to Neptune to planetary defense.

Conceptual illustration of a therapy session
Conceptual illustration of a therapy session

The therapists using AI to make therapy better

Researchers are learning more about how therapy works by examining the language therapists use with clients. It could lead to more people getting better, and staying better.

Conceptual illustration showing a file folder with the China flag and various papers flying out of it
Conceptual illustration showing a file folder with the China flag and various papers flying out of it

The US crackdown on Chinese economic espionage is a mess. We have the data to show it.

The US government’s China Initiative sought to protect national security. In the most comprehensive analysis of cases to date, MIT Technology Review reveals how far it has strayed from its goals.

conceptual illustration showing various women's faces being scanned
conceptual illustration showing various women's faces being scanned

A horrifying new AI app swaps women into porn videos with a click

Deepfake researchers have long feared the day this would arrive.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.