[Infowarrior] - Hayden: What's at stake in the cloud?

[Richard Forno]

http://thehill.com/opinion/op-ed/185565-whats-at-stake-in-the-cloud

What's at stake in the cloud?

By Gen. Michael Hayden - 10/04/11 07:39 PM ET 

The new federal strategy for implementing cloud-computing solutions is
called "Cloud First"- and with good reason. We now systematically prefer
cloud-computing solutions to those based on local servers and laptops. The
allure of efficiencies, economies of scale, high-end services and - most
importantly - reduced costs are almost irresistible.

But, as American governments at the federal, state and local levels rush
headlong toward cloud computing, wouldn't it be wise to pause and ask,
"What's at stake?"

From a security perspective, as a former director of the National Security
Agency charged with stealing other nation's secrets while protecting our
own, I believe these stakes are high and the costs of a mistake particularly
grave.

The current structure of the Internet is fundamentally open - open in terms
of access and open in terms of use. But this openness has consequences. As
deputy secretary of Defense William Lynn said in a speech announcing our
military's Strategy for Operating in Cyberspace: "The Internet was designed
to be open, transparent, and interoperable. Security and identity management
were secondary objectives in system design. This lower emphasis on security
in the Internet's initial design ... gives attackers a built-in advantage."

The transition to the cloud gives us a chance to change that flawed security
paradigm. We can, if we choose to, build in more powerful security
principles from the beginning as integral components of cloud architecture.
Where more sophisticated and costly security solutions are too expensive for
an individual user (or small network), they are more affordable when the
costs are distributed among a larger group of users. 

Likewise, sophisticated solutions that could be too cumbersome to run on a
stand-alone personal computer or laptop (or today's tablet or phone) can run
effortlessly on the larger server systems maintained by cloud service
providers. Thus, if we invest our capital wisely (like creating an efficient
data management and authentication structure), the transition to cloud
computing can hold the promise of high-end security even for routine data
transactions.

But, just as these economies of scale offer the promise of greater security,
they also create greater vulnerabilities and threats that must be addressed
before we can say that cloud computing is secure. 

The accumulation of vast stores of data and computing power in cloud-based
systems will provide online thieves and hackers and nation states bent on
espionage with an exceedingly attractive target. In a survey of attendees at
the 2010 DEFCON conference, one of the largest hacker conferences in the
world, 96 percent of hackers believed the cloud would open up more hacking
opportunities for them, while 89 percent believed cloud vendors were not
doing enough to address security issues.

Given the potential nature of cloud services, in the event of data theft or
loss due to illegal or intrusive actions, cloud clients could be subject to
legal and/or financial liability for breaches over which they have little
knowledge and even less practical control.

Users might also need to create independent Continuity of Operations Plans
(COOP) to ensure functionality and survivability if cloud service is
disrupted. One essential part of any COOP will have to be the ability to
change cloud or other network service providers should the need arise. 

Will there be sufficiently common standards that govern "cloud" service to
make any such transition possible and not overly complex or costly?

Any system is subject to insider threats. The more concentrated the data,
the more catastrophic the failure if the threat materializes. In the cloud,
an insider with access can replicate, download, steal, delete or modify
multiple clients' data unless effective internal security measures are
implemented. Personnel screening, internal security and the like will be the
responsibility of the cloud manager. How transparent will this be to clients
since users will be dependent on the cloud manager's effectiveness?

To date, most cyberattacks have in reality been examples of theft - personal
data, intellectual property, state secrets - conducted for malice, profit or
espionage. And unlike parallel activity in the physical domain, which
usually only directly affects large commercial and governmental interests,
cyberattacks can directly affect individual citizens. In the cloud, it is
their data that is stolen and their services that are disrupted.

Breaches in the cloud could be more catastrophic than breaches in discreet
networks or systems. Overstating the threat only slightly, the difference is
between breaking into an individual home and breaking into a large,
theoretically secure building filled with unlocked condominiums.

There are fundamental challenges and opportunities for cloud providers. Will
they develop a business model that emphasizes merely price and efficiency,
or will they strive to make security services a key discriminator between
their offerings and those of their competitors - even if that means
reinvesting some portion of the cloud's "savings" back into a more secure
architecture. Let's hope for the latter.

Hayden is the former director of the National Security Agency (1999 to 2005)
and Central Intelligence Agency (2006 to 2009). He is now a principal at The
Chertoff Group, a global security advisory firm, which advises clients on
cybersecurity including cloud computing.