As often happens when arguing on principles, dialectical passion supersedes reasonableness (not to mention rationality).
The theme of “Security in the cloud” is no exception, and factions of security experts can be divided into “cloud believers”, i.e. die hard supporters of the allegedly greater security of the cloud (regardless of any possible evidence of the contrary), opposed to “cloud skeptics” that outline the issues relating to the “one size fits all” approach that characterizes Cloud computing.
Unfortunately, when dealing with complex issues (such as cybersecurity) it is not always possible to easily settle the thorny issues, by clearly separating the “white” from the “black”.
As every Security Professional could witness, actually “gray” is the color that characterizes Cybersecurity (and its nuances, alas, are rarely limited to fifty…)
Dealing with Cloud Security
In order to be able to deal with the “Cloud Security” issue in an appropriate manner, it is advisable to start from the basic principles of computer security, and one of those principles states that:
This means that it is just not enough to “hardenize” (as it should be considered a must) critical systems, neglecting to secure the remaining equipment, systems, applications, etc.
Arguing otherwise, we would incur in the risk of protecting the main entrance while leaving the windows wide open!
Let’s now see how complexity negatively affects security, especially in the Cloud computing environment.
It’s Complexity, my dear!
The problem that arises in the Cloud environment, compared to conventional perimeter security, is that the number of the rings of the security chain (to stay at the metaphor) grows exponentially, rather than linearly.
This entails a potentially uncontrolled growth of the so-called “attack surface”, which can give rise to potentially unpredictable outcomes in terms of security.
If it is already difficult in a conventional context to define the security perimeter, it is even more complicated to do so in a distributed network like that of Cloud Computing.
Every new “bucket” that is added (not to mention the applications, systems, apparatuses, sensors, etc., that may reside in it) increases in a more than proportional way the overall complexity of the Cloud considered as a whole.
Resorting to Cybersecurity Best Practices
According to the fundamental principles of security:
It is not enough, therefore, to reduce the problem of security to the choice of the best product or technical solution (should this actually exist, we would all choose it!), as we are asked to address security issues by adopting a “holistic” approach, which takes into account the complexity of the overall system.
On the other hand, it has always been true that:
So the question regarding the non-linear growth of the potential attack surface surface constitutes the actual Problem of Cloud Security, and cannot be diminished to a simple secondary aspect.
Dealing with the “Curse of Dimensionality”
The unpredictable effects of Complexity have long been known:
in essence, a complex system is characterized by the fact of manifesting unpredictable (if not chaotic) behaviors with the increase in the number of “degrees of freedom” that characterize it.
The most striking effect of such unpredictability is known as “butterfly effect”.
This unpredictability, of course, can be controlled by reducing (and constantly maintaining) the overall complexity of the system below its “critical threshold”.
The problem is that identifying this critical threshold in the context of Cloud Computing is not at all simple.
Are algorithms and Machine Learning the way to go?
To date, even machine learning algorithms are not able to manage the “the curse of dimensionality”, that is to say, the computational explosion deriving from the increasing number of “freedom degrees” of a system (corresponding in our case, to the number of buckets, apparatuses, systems, applications, etc. that can freely interact with each other) and the complexity that derives from it.
In practical terms, a possible vulnerability pertaining to the Cloud could be exploited on a “large scale”, resulting in a domino effect with obvious cascading damages, due to the topological features that characterize the Cloud.
Also admitting (and not conceding) that it were possible to guarantee the “safety” of the single devices, systems, applications, etc. that reside within the Cloud, such systems could still interact with each other in an unpredictable manner, by virtue of their “degrees of freedom”, which we are not ex ante able to establish in deterministic number, quality and nature (paradoxically, a traditional network perimeter, made up of heterogeneous apparatuses and applications, might be able to break the “chain of contagion” even better, regardless of the level of security affecting single apparatuses and different systems).
What to do, then?
In conclusion, the most honest answer that can be given to the Cloud Security problem is that, to date, we are not able to effectively assess the security of a cloud architecture as we would with a traditional security perimeter.
The most sensible decision therefore remains that of “do not put all the eggs in the same basket” (as the best practices suggest), carrying out and keeping backups of critical data (i.e. the data that are essential to guarantee the Business Continuity of an Organization) outside the Cloud, also adopting appropriate Disaster Recovery plans (being assisted by a Security Analyst, rather than just being advised by our trusted vendor…)