Is the Cloud more secure?

As often happens when arguing on principles, dialectical passion gives way to reasonableness (not to mention rationality).

The theme of “Security in the cloud” is no exception, with factions of security experts ready to divide into “believers”, i.e. die hard supporters of the greater security of the cloud (regardless of any possible evidence of the contrary), opposed to “skeptics” that outline the issues relating to the “one size fits all” approach.

Unfortunately, when dealing with complex issues (such as cybersecurity) it is not always possible to easily settle the thorny issues, by clearly separating the “white” from the “black”.

As every Security Professional should witness, actually “gray” is the color that characterizes Cybersecurity (and its nuances, alas, are rarely limited to fifty…)

Dealing with Cloud Security

In order to be able to deal with the “Cloud Security” issue in an appropriate manner, it is advisable to start from the bases of computer security, and one of the fundamental principles states that:

“The safety of a chain lies on its weakest link”

This means that it is not enough to “hardenize” (as it is a must) critical systems, neglecting to secure the remaining equipment, systems, applications, etc.

Otherwise, we risk protecting the main entrance with the security door, but leaving the windows open!

It’s Complexity, my dear!

The problem that arises in the Cloud, compared to traditional perimeter security, is that the rings of the chain (to stay at the metaphor) grow exponentially, rather than linearly.

This entails a potentially uncontrolled growth of the so-called “attack surface”, which can give rise to potentially unpredictable outcomes in terms of security.

If it is already difficult in a “traditional context” to define the security perimeter, it is even more complicated to do so in a distributed network like Cloud Computing.

Every new “bucket” that is added (not to mention the applications, systems, apparatuses, sensors, etc., that may reside in it) increases in a more than proportional way the overall complexity of the “cloud system” considered as a whole.

Resorting to Cybersecurity Best Practices

According to the fundamental principles of security:

“Complexity is the ‘Sworn Enemy’ of Security”

It is not enough, therefore, to reduce the problem to the choice of the best product / solution (if this actually existed, we would all choose it!), but we must increasingly address security issues adopting a “holistic” approach, which takes into account the complexity of the system as a whole.

On the other hand, it has always been this way:

“Security is a PROCESS, not a product”

So the question of non-linear growth of the potential attack surface surface constitutes THE PROBLEM of Cloud Security, and cannot be diminished to a simple secondary aspect.

Dealing with the “Curse of Dimensionality”

The unpredictable effects of Complexity have long been known:
in essence, a complex system is characterized by the fact of manifesting unpredictable (if not chaotic) behaviors with the increase in the number of “degrees of freedom” that characterize it.

The most striking effect of such unpredictability is known as “butterfly effect”.

This unpredictability, of course, can be controlled by reducing (and constantly maintaining) the overall complexity of the system below of its “critical threshold”.

The problem is that identifying this critical threshold in the context of Cloud Computing is not at all simple.

Are algorithms and Machine Learning the way to go?

To date, even machine learning algorithms are not able to manage the “the curse of dimensionality”, that is to say the computational explosion deriving from the increasing number of “freedom degrees” of a system, corresponding in our case, to the number of buckets, apparatuses, systems, applications, etc. that can freely interact with each other) and the complexity that derives from it.

In practical terms, a possible vulnerability pertaining to the Cloud could be exploited on a “large scale”, resulting in a domino effect with obvious cascade damages, simply because of topological features that characterize the Cloud.

Also admitted (and not granted) that it was possible to guarantee the “safety” of the single devices, systems, applications, etc. that reside within the Cloud, such systems could still interact with each other in an unpredictable manner, by virtue of their “degrees of freedom”, which we are not ex ante able to establish in deterministic number, quality and nature (paradoxically, a traditional “local” security perimeter, made up of “heterogeneous” apparatuses and applications, might be able to break the “chain of contagion” even better, regardless of the level of security of the single apparatuses / systems that reside there).

What to do, then?

In conclusion, the most honest response that can be given to the “Cloud Security” problem is that, to date, we are not able to establish “a priori” the greater / lesser security of “cloud architecture”, as compared to traditional perimetral security solutions.

The most sensible decision therefore remains that of “do not put all the eggs in the same basket” (as the best practices of security still preach…), carrying out and keeping backups of critical data (i.e. the data that are essential to guarantee the Business Continuity of an Organization) outside the Cloud, also adopting appropriate Disaster Recovery plans (being assisted by a Security Analyst, rather than just being advised by our trusted vendor…)