Business Report

Being Smart about Cloud Security

An authority on Web security believes your data might be safer in the cloud.

For many companies, cloud computing sounds like risky business. They worry that storing customer details or running critical software on the servers of cloud providers such as Amazon or Google could make their data more vulnerable to being hacked, exposed, or lost. A lot of data in the cloud resides on shared servers—think public data dormitories—where only virtual walls might separate one company’s bits from those of its competitors.

Data detective: Security expert Jeremiah Grossman says fears over cloud computing are overblown.

Yet such fears are misplaced, says Jeremiah Grossman, founder of WhiteHat Security, which advises companies such as credit rater Fair Isaac and prescription giant CVS Caremark on their Web security. Grossman, a former information security officer for Yahoo, offered some advice about the cloud in an interview with Technology Review’s deputy editor, Brian Bergstein.

This story is part of our November/December 2011 Issue
See the rest of the issue
Subscribe

TR: Why do you think there are security advantages in going to the cloud?

Grossman: The average enterprise, whether you’re talking small, medium, or the largest of the large—they’re in their respective businesses. A bank isn’t in the business of technology. A retailer isn’t in the business of managing IT infrastructure. A service provider like an Amazon, they have very particular skills [at] making really secure infrastructures. What you get from a cloud provider is economies of scale—and somebody else to manage the problem.

This is the most ingenious hacker attack on the cloud that I’ve heard of: someone hires a cloud provider to run a Web application on a shared server and then “bursts the cloud” to infect other users of the same machine. Is this merely a theoretical attack, or has it been done? 

It’s theoretical in the sense that we’ve never heard of it being done in the wild. We have seen different types of attacks in which it’s possible to break out of the virtualized containers [in which each cloud client’s data resides]. They’re quickly patched, but it is entirely possible. It is probably not a likely attack, because there are vectors that are way easier to do. But you should assume that the separation between clients is going to break down. You’re going to want to be resilient under those scenarios, [in part by setting rules about encrypting data and] who can get access to it.

Then what’s your worst-case scenario for organizations that shift to the cloud?

From a business standpoint, if you’re running the system yourself, you have a notion of resiliency, meaning—in the event of a catastrophe, whether a natural disaster or a business bankruptcy—you kind of have control of the infrastructure. You don’t have a lot of control when it comes to the cloud providers should they go out of business, should they be acquired by your nearest competitor. All of a sudden your cloud provider, which your business depends on, evaporates and goes away. What’s your contingency plan? That’s a major consideration.

Some CIOs are likely to run aspects of their websites in the cloud but retain control of some key applications. Is there a security issue raised in the handoff between a cloud service and someone’s on-premises systems?

That’s actually how it’s going to be for the vast majority of businesses out there: “I’m going to host my own website, but all my payments are going to run through a third party.” There’s a lot of benefit to doing that, but there’s also complexity to the situation. Complexity tends to be the enemy of security. The more complex you make your data flow—the more complex you make the systems and all the interconnects—the more difficult it is to manage it, understand it, and mitigate all the threats.

The latest Insider Conversation is live! Listen to the story behind the story.

Subscribe today
Already a Premium subscriber? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Business Impact
Business in the Cloud

How technology advances are changing the economy and providing new opportunities in many industries.

Want more award-winning journalism? Subscribe to Insider Premium.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Listen in as our editors talk to innovators from around the world.

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.