The “cloud” is a buzz word that has been around for months. The marketing guys are pushing it so hard that every IT guy will hear of that at work soon or later.
Taking a decision whether to use it or not requires some deep knowledge, because if its pros are clear – you can count on the salesmen to get a great picture of it again and again, its cons are silenced.
Too bad, a major disadvantage is security. But guess what? The other day an “analyst” presenting his study about cloud computing just cleared out the issue in 3 words :
“Concerning the people who doubt of the security in the cloud, it is a typical psychological issue of theses persons fearing change or something new . There is really nothing concrete to worry about cloud security.”
Well, not sure I am going to see a psychologist. Of course the guy did not give any solid argument, so here we go.
In short, cloud computing expose to the Internet services that were, in normal conditions, always kept inside an internal network and behind peripheral protections.
Of course, these services offer authentication, but basically almost every traditional web attacks will work as usual. After all, we are talking about the same web portal, the same users, the same browsers, etc.
Let quickly summarize the potential threats: CSRF, XSS, phishing, SSL attacks (MiTM, certificate spoofing), browser exploits and many more.
So really, it is not a question of being crazy, paranoid or reluctant to change. There are just many issues that don’t make the cloud useless but should incite to caution.
Cloud computing can be used for what it is good at (flexibility, convenience) but not to replace a datacenter. It should not be used if security is a concern.
Don’t listen to the salesman only, read what some specialists are saying. Here is a compilation of some interesting articles I found :
- Black Hat 2009 presentation : pdf and summary
- Owasp presentation (pdf)
- Dangers in the cloud
- So you think *your* capability model is bad? (browser’s weak design)
And last but not least, in case our favorite salesman keeps pushy:
But that’s not all. The same goes with “virtualization everywhere”, but that will be another topic…