Some of you may remember Marathon Man, starring Lawrence Olivier as the evil Nazi dentist Dr. Christian Szell and Dustin Hoffman as a graduate history student nicknamed Babe. Szell has come to New York from his South American jungle hideaway to retrieve a cache of diamonds, but he’s not sure he won’t be walking into a trap. He thinks Babe knows, and tortures him, repeatedly asking, “Is it safe?”
Szell: “Is it safe? Is it safe?”
Babe: “You’re talking to me?”
Szell: “Is it safe?”
Babe: “Is what safe?”
Szell: “Is it safe?”
Babe: “I don’t know what you mean. I can’t tell you something’s safe or not unless I know specifically what you’re talking about.”
It’s a scary scene and I’m reminded of it whenever people say, “Public clouds aren’t secure,” or, more recently, “Multitenant applications aren’t secure.”
So? Are they safe? Are they secure? Like Babe, I can’t tell you unless I know specifically what you’re talking about. Just like the term cloud computing, we need a more sophisticated understanding of what the word safe really means.
Security is a complex topic. A business-application cloud service is secure if (and only if) it meets your requirements in seven key areas: hardening, identity and access management, auditing, testing, compliance, privacy, and education. And these seven areas apply to all of the technology underlying the application. So, for those of you with an analytical bent, draw a 7×5 matrix with the seven pillars above as your columns, and application, platform software, compute and storage, data center, and network as your rows.
- Hardening. Any application cloud service (actually, any application) depends on not only the integrity of the application itself but also all the software and hardware that supports it. So you must make sure that the latest security patches have been applied and that there are no viruses, malware, or unknown software lurking in your storage management, operating systems, databases, or middleware. If the application, right down to the network, is not hardened, then all bets are off. How much hardening you want to invest in, how much hardening you need, is a cost-benefit decision you have to make depending upon how critical the application is to your operations. Nothing can be perfectly hardened.
- Identity and Access Management. The implementation of any security policy is dependent upon knowing the identity of an individual. In other words, who wants to use this application? Just like in Prohibition speakeasies, someone has to know if it’s OK to let you in, usually, now as then, with a password. Once that’s been established, and authenticated, access management consists of deciding what data you are allowed to see and which operations you’re allowed to perform. Remember, your requirements for identity and access management must start from the mobile device and extend through the application into the supporting software, hardware, data center, and networks. Increasingly, there are operations-management cloud services such as Okta and TrendMicro that will do this for you.
- Auditing. A key principle in building a secure system, auditing records all the changes that happen to an application and the underlying technology. This allows one to identify the source of the change, be it bad guys or careless guys. Intrusion-detection solutions from such providers as Hewlitt-Packard and Raytheon use real-time auditing to sound the alarm when a breach occurs. New Securities and Exchange Commission rules concerning cybersecurity-risk disclosures make auditing even more critical. Maybe one day, like the Pre-cogs in the movie Minority Report, we’ll be able to discover security faults before they happen. This brings us to testing.
- Testing. There’s a wide variety of tests that can be run to determine whether the security of an application and its underlying technology can be compromised. This class of operations-management cloud services is available from a number of companies, including McAfee, Perfecto, SecNap, and WhiteHat. What security testing is required for each application in your portfolio?
- Compliance. Two of the more well-known compliance standards are PCI DSS and HIPAA. PCI DSS provides guidance for the credit-card industry as to a minimum required set of security controls. Under HIPAA, the federal government developed privacy principles and security guidelines for health-care patients, health-care organizations, and service providers. How these standards apply to your enterprise will define the security requirements for your applications.
- Privacy. As we move from an anonymous Internet to a notorious one (with Facebook leading the way), privacy issues must be considered in any application. Privacy entails the ability of individuals or groups to control information about identity and behavior and thereby reveal it selectively. Clearly, any consumer-facing application must be able to both protect the privacy of personal information and offer the individual choice over its use.
- Education. The final pillar is education. Since the days of the Great Wall, the individual is the weakest point in any security system. Clicking on e-mails or links that you shouldn’t, putting your passwords on sticky notes, giving up control of your PC to someone who sounds important — these are all activities that can defeat the most sophisticated security system. The only way to prevent these dangerous practices is by training; by education. So whether it’s your own staff or the personnel of your cloud service provider, make sure they’re educated about security.
The statements “the public cloud is insecure” or “multitenancy is not secure” convey a very unsophisticated view of a very complex topic. My hope is that when you purchase cloud services, you’ll have defined security based on these seven pillars so you’ll be able to say, “It’s safe” and have confidence that you know what you’re talking about.
Timothy Chou teaches cloud computing at Stanford University. He is the former president of Oracle On Demand and the author of Cloud: Seven Clear Business Models.