Cloud…a long journey towards a secure paradigm

When I discussed with many colleagues regarding cloud paradigm most of them smiled declaring that we face yet another found marketing to sell a methodology, known for at least a decade, under new and more appealing clothes.

Indeed many of the concepts behind the cloud  approach have little innovative, but the evolutionary push to the paradigm last year was really strong. The main brands in the industry have implemented cloud-based services that would seem to be able to materialize any request for an increasingly demanding audience.

But is it really so? In terms of security is the paradigm mature?

In my humble opinion, the paradigm is far from to be considered mature in terms of security. Many are lavishing a lot of effort in this direction but we are far from have “secure” model for the implementation of services, processes and information management. Have a secure infrastructure means that cloud, for the heterogeneous nature of its components, have to be able to ensure the protection of its resources, of the the data it manages, and of all the services provided. The distraction of using one of these components could compromise the safety of the entire cloud. Complicating everything is the great attraction that the Cloud has against those who want to have great offensive power from the platforms that they can manage to conduct an attack against a given target.

Think you have found the solution to everything using the “Cloud”? My compliments, but I remain skeptical. Which guarantees are offered in terms of security to cloud customers today? None! If you  sign a contract, and I talk about the legal side of it, you will soon realize to acquire a system with the characteristics of computing needed, but without any guarantee in terms of security. What happens if a resource of the cloud, perhaps ours, is violated and used together with other to attacks other components? Who is liable and to what extent? What are the metrics to evaluate the objective responsibility in case cloud attack? It would be possible to identify the machine that has been compromised? Absolutely not! We had noticed that Google hacking tools can be used to make the cloud insecure gathering sensible informations related to the authentications processes …  but the Google Hacking tools have been known for at least five years, but the Amazon Cloud Hack to attack Sony has been discovered on May  …

Some other examples ….

On August, 29th 2011 has been discovered That exploting some flaws in Google’s servers, malicious attackers were able to launch a DDOS attack on a chosen target .

On October 2011, Defense contractor Raytheon Declared That it was hit by aa spear phishing, cloud-based attack;

 

Never before, as in the case of cloud, technological implementation and legal implementation are so far, in my opinion because once again the drive business, in a moment of great crisis, has in fact outpaced the ability of development a mature solution.

It’s my opinion that we have a long trip to do … and this is only the beginning