Thursday, July 16, 2009

Security and the Cloud

I was browsing through my unread tweets earlier today and I came across tweets from Evan, the CEO of Twitter. Apparently some enterprising cracker had managed to guess the passwords of several Twitter employees and gain access to their confidential documents, then sent them to a popular tech startup blog. I do not condone the actions of the cracker nor those of the writers of that blog. I think what they did was unethical and will mostly likely be detrimental to Twitter; thus, I'd rather not direct you to their site and increase their traffic. I'll be honest: I love Twitter. As much as I could easily write an entry extolling them while condemning the cracker and his cohorts, I leave that up to other concerned users. While everyone else is fixated on what this means for Twitter, no doubt focusing on its ambitious plans, the whole fiasco struck me more as a failure of cloud computing. What most people don't realize is the exploits of one fame seeking cracker not only undermined the plans and operations of Twitter, but also highlighted some problems of widespread corporate adoption of cloud computing.

The proponents of cloud computing, particularly at Google, would like us to believe that cloud computing is safe, and perhaps safer than traditional hosting solutions. They argue that your fragments of your data are distributed across several servers and in the event a single server is compromised, the attacker won't be able to retrieve your data as he will only have access to a possibly useless fragment. While this may hold true for attacks against servers, I prefer to exercise restraint when claiming cloud computing in general is safe.

The biggest strength of cloud computing is its ability to turn any internet connected device into your personal computer. Its main selling point is you can access your files from anywhere. It frees you from being restricted to a single device and its associated limitations or from the difficulty of synchronizing multiple devices. For instance, suppose your laptop/netbook is somehow irreparably damaged, cloud computing would spare you from 1) scrambling for the latest backup files, and 2) the pains of having to configure your replacement laptop. In fact, given any device can become your own personal computer, you can stop lugging around that heavy laptop with that clunky hard drive altogether.

Its biggest weakness: "you" can access your files from anywhere. Without the need to physically access a target device, your data is no longer secure once your credentials are compromised. While cloud computing may have defenses in place against attacks on servers, it has always been far easier to compromise the account of an individual user than it is to compromise an entire server. Granted, this is an issue shared with most, if not all, networks connected to the internet. However, cloud computing amplifies this problem by having all your data readily accessible from the internet.

Of course, the problem could be somewhat mitigated by a security policy that enforces requirements on password strength, as well as setting a finite time for the period of its validity. On the server end, it would help to support seamless encryption with private keys being stored locally (although this would go against the whole “any computer can become your computer” concept.)

There are other issues which I believe to be of lesser importance and will refrain from discussing in this blog but will address in another blog concerning Chrome OS in the near future.