A pro-public, anti-private Cloud article came out -- this time on Techrepublic -- that encouraged another debate on the insecurity of essentially all public services for IT. I interrupted a security colleague to chat about a hypothetical and she offered a human perspective on this perennial debate -- the perspective of control.
Here's my simple hypothetical. Suppose I have some deliciously personal data about you. Say this personal data is your full name, full address, credit card numbers, social security number, insurance card, etc. So it's personal, should be private, and obviously valuable data for fraudulent purchases like the kind that hackers love. Now let's assume I'm naive and push this bit of your personal data up to a public Cloud storage provide like Dropbox or Google Drive or One Drive. Big glaring honeypot -- that's what it'd be -- so give me the benefit of doubt and assume I encrypt the data first, then move it up to the public Cloud. And of course I'd encrypt with a very strong private key that's only on my smartphone because I'm an oddly paranoid person. (Yes that's unrealistic but let's go down this Rabbit Hole.)
What would a hacker do? It's trivial. A hacker would go after my smartphone; and not the public storage provider that has the valuable data. Personal smartphones are easier targets. I've seen many smartphone unlock codes, and some smartphones that have no code but a simple swipe. Sure the hacker would put in sizeable effort to steal my smartphone but that effort burned is less than (failing at) brute force decryption or hoping to find a bug in a crypto algorithm. This is a simplistic (and less realistic) hypothetical but I'm reiterating a glaring misunderstanding in Cloud security debates. We forget the weakest link or, in formal IT security terms, the results of "risk assessments". There would be several weak links in my example, like overlooking access to the public storage, transmission from the smartphone to the public data store, etc. but the weakest link is not data held in a public service that is strongly secured. Some paranoid IT professional will spurn my simplistic hypothetical by saying encryption algorithms have bugs and smartphones can be rooted to add extra layers of security, and sure that's true, but which is more secure? And better yet, why?
Again, this is an simplistic dichotomy -- personal smartphone with private encryption key versus encrypted private data in public storage -- that I've reduced down to a data-at-rest example but that doesn't change the fundamental concepts in securing technology. Most folks keep their smartphone under very close control, at least physically speaking. Just because you control a technology doesn't necessarily mean it's more secure. Our expectations of security in public softwares, for example, was challenged by the Open Software movement[1]. My colleague hinted at latent desires for IT folks to control technology, and I believe human nature creeps into our debates, especially when you hear folks trusting things that they control. I think the best security would come from distrusting all technology whether you control it or not but that would be a boring, xenophobic world indeed. Sane consumers don't hoard money under the bed but entrust a Bank to secure it on their behalf. Good banking consumers simply double check the Bank's numbers against their own accounting, and don't deposit more than the FDIC ensures :)
Having admitted to a desire for control, and inferring a sense of security from that control, it becomes clear that the Cloud-versus-onprem security debates are pitting equal weaknesses against each other. Realistic risk assessments are needed for both technologies.
References
1 - OPEN SOURCE VS. CLOSED SOURCE SOFTWARE:
TOWARDS MEASURING SECURITY http://www.icsi.berkeley.edu/pubs/networking/opensource09.pdf
No comments:
Post a Comment