Cloud Security: Better Than We Think? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

10:42 AM
Connect Directly

Cloud Security: Better Than We Think?

Conventional wisdom says that cloud computing is inherently less secure. But many government experts are focused on cloud computing's security strengths.

Cloud computing has flunked a security test, reports Tim Wilson at Dark Reading. That probably doesn't surprise you. Conventional wisdom says clouds are inherently insecure.

But are they? Or are clouds actually more secure than conventional IT environments? A growing number of technologists are making that argument. And they're not cloud vendors or marketers or startups who have placed their bet on the cloud. They're some of the senior-most technology officials in government, including those from intelligence agencies and the military, which might be the last place you'd expect to hear such talk.

The list of execs touting the security advantages of the cloud has grown to include federal CIO Steven VanRoekel; Gen. Keith Alexander, head of both the National Security Agency and U.S. Cyber Command; CIA CTO Gus Hunt; NIST security researchers Peter Mell and Dr. Ronald Ross; and former NSA director Adm. Mike McConnell.

Their comments on cloud security are often accompanied by the caveat, "if you do it right." In other words, cloud security only happens through a combination of vigilance, best practices, and technology, including encryption, patching, and monitoring.

The shift to the cloud is an opportunity to rethink security from the ground up, to re-architect networks and data centers in a way that closes existing gaps. The feds are helping agencies do this with a growing body of guidance such as NIST's 68-page document on cloud security and controls required as part of the forthcoming FedRAMP security authorization program.

CIA CTO Hunt talks about periodically and automatically moving workloads and reimaging machines as a way of creating a "polymorphic attack surface" that confuses would-be attackers, as they won't know what's running on which physical server at any point in time.

Hunt's not some IT lightweight, and the CIA can't afford to be cavalier about the security of its data and systems. "We're paranoid for a reason," Hunt told the audience at InformationWeek's GovCloud 2011 event in October. "They really are out to get us. And I'm not kidding about this, when secrets leak out, people die."

Alexander says cloud computing can improve patching across a network and bring other benefits. "You have better visibility and situational awareness," he said at a recent event hosted by the Defense Advanced Research Projects Agency. "More importantly, if you were to watch how we push out [patches] today, you would laugh or cry because it takes months. We need a dynamic way to do it, and the cloud lets us do it much quicker."

These concepts apply primarily to private, not public, clouds. Even so, NIST's Mell, one of the creators of the FedRAMP program, has argued that entrusting data to the world-class engineers at Amazon, Google, and Microsoft may be more secure than hosting the data in your own data center.

Not everyone is ready to buy into this line of thinking, of course. At a recent cybersecurity event in Baltimore, some attendees scoffed at Alexander's take on cloud security. Their counterargument: Consolidation and virtualization might make an IT environment more manageable, but they also create a bigger target for social engineering and other forms of attack.

And NIST, despite the optimism of its cloud researchers, offers its own words of warning. "The cloud computing environment presents unique security challenges," NIST writes in its recently released "cloud roadmap" document. "The architecture, potential scale, reliance on networking, degree of outsourcing, and shared resource aspects of the cloud computing model make it prudent to reexamine current security controls." Prudent? That's too soft. IT pros that don't pay close attention to security controls in the cloud are putting their organizations at extreme risk.

Done right, however, clouds may be more secure than old-style data centers. That's the view of influential IT leaders within the government's intelligence, defense, and civilian agencies. Maybe it's time to think more about the potential security benefits of the cloud, and not just about all that can go wrong.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll