Tuesday, July 31, 2012

Cyber-security and cloud computing

Two recent articles have highlighted the threat posed by foreign cyber-espionage, and the security difficulties of so-called 'cloud computing'.

First, AOL Defense warns that 'China and Russia are stealing our lunch'.

While Chinese threats have gotten the most attention, the rat in the kitchen is just as likely to be Russian, said Smith, a former ambassador who worked on arms control negotiations with the then-Soviet Union and who now spends about half his time in the former Soviet republic of Georgia, which suffered a Russian cyberattack alongside a conventional invasion in 2008. The Russians have a well-educated population with computer skills and a thriving underworld with government contacts, so the Kremlin can mobilize legions of online scammers as "a vast cyber reserve force" for online campaigns, Smith said, pointing to the attacks on Georgia and on Estonia in 2007.

"The difference is the Russians don't get caught" as often as the Chinese, Smith said. But hackers from both countries are going after American intellectual property on a grand scale that goes beyond individual larceny to a national strategy.

"What you have underway right now is systematic espionage against the United States," said Smith. "This is not intelligence agencies stealing this or that secret, this is not industrial espionage where some company in another country wants to get the process for something or other. We're talking about a systematic effort to equalize the technology edge that the United States enjoys over every other country in the world by stealing US intellectual property.... This is strategic."

There's more at the link.

Next, DefenseNews warns of the vulnerabilities of cloud computing for Department of Defense applications.

The argument in favor of private cloud systems rests on three assertions about how the architecture could improve DoD systems:

• The cloud is more secure than less consolidated data systems.

• The cloud will require fewer talented cyber experts to protect.

• The cloud can save the department large sums of money through fewer hardware requirements and more efficient operation.

The third argument, that the cloud would save money, is widely recognized and accepted by experts, although the magnitude is disputed. The other two, however, are the subject of heated debate.

“There are specific vulnerabilities associated with cloud architecture that, as far as I can tell, have not been fully and adequately addressed,” said Moulton, who previously served in the U.S. Air Force doing special operations communications.

The simplest and most frequently cited argument against the assertion that the cloud is more secure is the risk of centralization. DoD networks are still largely fragmented, which can make information sharing difficult. But that fragmentation means no individual breach would compromise the larger data mass.

“When there is no centralized control of all those systems, there is no central place to [get] access to everything else,” Bejtlich said. “Is it better to have everyone decide how to deploy their systems independently, or is it better to have one super-image that we believe contains the best security posture?

“With the former, the bad guy who gets onto the system or is trying to get onto the system doesn’t necessarily know what the victim is running. With the latter, he knows exactly what they’re running, and he can tailor his research efforts to that.”

The complaint about the fragmented approach has been that maintaining decent security at each individual outpost was both expensive and difficult. By consolidating systems, DoD could be more confident that its systems are properly designed.

But with cloud architecture, even if the protection is better, once an attacker is in, the loss is much worse.

“You’re putting all of your eggs in the same basket,” Moulton said.

Because of the added risk, the exterior defenses and network monitoring need to be even better to guard a more valuable system, probably meaning as many experts as are employed across networks now, Moulton said. And because of the lack of expertise in cloud architecture, building and protecting cloud systems could be far more expensive than has been predicted, he said.

“There’s the rush to this, and everyone thinks they’re going to save so much money and manpower,” he said. “I don’t agree with that broad assumption.”

Again, more at the link.

Of course, if those security risks and vulnerabilities affect military systems, with their institutional emphasis on confidentiality, what does that imply for our commercial systems?  I use a 'cloud computing' backup service to store copies of critical documents (manuscripts, personal data files, etc.).  What happens if someone takes down that cloud, or disrupts access to it?

Not a comfortable thought . . .



Noons said...

The whole argument for cloud computing seems to hinge on cost and cost alone.

It reminds me of the "logic" at the root of the demise of computer makers such as Prime Computers in the late 80s and early 90s.
Went like this: "Oh! Look at the height of that column in the graphic of costs! What's that? R&D? Too expensive! Cut it! There! See how our bottom line has improved?"

Three years later Prime ceased to be: they had majorly fallen behind in the technology stakes.

It's stupidity just like that, behind the cloud-is-cheap argument...

Shrimp said...

Maybe I'm an idiot (my wife would say take out the word "maybe"), but why would anyone back up anything to someone other than themselves? All of the stuff I need backed up goes onto inexpensive flash drives. If it's especially sensitive, I can store said flash drive in the safe. Otherwise, it's portable and easily transported. I don't grok the need for the "cloud" for personal users (i.e. not part of a corporation or group of users).

What am I missing here? Ease of use?

Borepatch said...

Anyone who tells you they know what Cloud Security means is either lying or a fool.

And I hope the data you're backing up is encrypted.

Luke said...

Trust me, it's great for uni. Actually on that note, it's pretty good for work too. It means less lugging of hardware or actually duplicating documents unless you have to.

There are downsides, but security aside, it's pretty handy.

Stuart from Sydney said...

Luke, your last, 'but security aside', whoah!, think again.

In a former career, Communications Security and Intelligence Collection, my security was fundamental, nay, foundational, to my success, and the lack of such by others, ensured my success.

virgil xenophon said...

"What happens if someone takes down a cloud...?"

Think ONE word: Magnolia

virgil xenophon said...

JUst realized it might be common knowledge and checked to find it's harder to find on Google than I thought. Ma.gnolia wqas a Delicious equivalent that was better than Delicious in that it simultaneously took a screen-shot as well as linked, so if the linked page/site
ever was broken/disappeared the screen-shot still existed. Well, the Ma.gnolia server melted with no back-up. EVERYTHING was lost. See: http://www.wired.com/business/01/magnolia-suffer/

virgil xenophon said...

PPS: I might add that "compartmentalized" security is one reason critics cite against the move to create national standards for State drivers licenses: once "inside" the system one can go ANYWHERE--just like terrorists can move easily around undetected in the EU now that nat. border controls have been relaxed.

Luke said...

In this context security aside means: apart from the downside of having less security.

It wasn't marginalizing the importance of security. If you read the text you will see the context was after a person wondered what the whole point of the cloud was in the first place, which is to have access to your documents at all times and at any place.

I feel comfortable with my iTunes purchases and lecture notes on the cloud. I feel less comfortable with having a single iTunes password for everything, and don't like online banking.

Not to step on your toes, but nothing confidential should be online anyways. Any system can get hacked or brought down and it's a cost-benefit calculation that entirely subjective to most users so your mileage will vary. But for the DoD etc, it's a scary thought, and for a uni student it's entirely sensible.

However if you disagree, let me know. I just get the impression you kinda fixated on a single line.