Why Amazon's Werner Vogel is wrong about cloud security

happygeek 1 449 Views

Werner Vogel, Amazon Web Services (AWS) CTO, speaking at the AWS Summit in London yesterday has made the rather amazing claim that security in the cloud is "much stronger" than anything you can have on-premises. As someone who has been writing about information security for more than 20 years, and covering the cloud security beat for five, I can understand why he may say that. However, it doesn't mean that he was right; not for every customer, not for every implementation.

If you are talking about the smaller end of the SME spectrum then, for the most part in my experience, there's a very good chance that the kind of dedicated security know-how and infrastructure investment available from the likes of AWS is beyond the reach of the average business. If you are talking about larger enterprises, which do have dedicated security teams and have already invested heavily in the relevant infrastructure and processes, well sorry Werner but that's a totally different ballpark.

It's one thing for Vogel to dismiss hybrid cloud, and I think he's got that fundamentally wrong as well, but to make such simplistic and wide-sweeping statements concerning security in the cloud is pretty much unforgivable. It's the kind of thing I hear on a daily basis from marketing men and product directors, but would not expect to be coming out of the mouth of the CTO of such a large player in the cloud space. Sure, AWS thinks it is pretty clued up when it comes to the importance of data encryption with the option of enabling customer generation and management of keys using CloudHSM for example. Which could be OK as far as 'at rest and in flight' encryption is concerned, and also could be OK for data storage in the cloud. Not so OK, from the 'more secure than your on-premise solution' perspective when you want to do something with that data in the cloud though.

Something like, well, processing it. Until the promise of Homomorphic Encryption is realised then, frankly, the cloud is not going to be automatically more secure than your on-premise set up. As soon as data processing in the cloud comes into play, and your encrypted data has to be decrypted, then all the security in the world amounts to nothing; all you have left is trust that the organisation holding your data and enabling the processing is not peeking at your plaintext data, and is not allowing someone with a court order to do likewise.

This is the single point of failure in the "our cloud is more secure than yours" argument, this is why such statements are not helpful in moving forward the cloud security position. Werner Vogel has made the mistake of conflating security and risk, the two are not the same thing. The risk to data may be acceptable, that does not make it secure and it certainly does not make it "much stronger" than an on-premise solution in anything like every instance.

Member Avatar for rubberman
rubberman 1,355 Nearly a Posting Virtuoso

In the case of either on-premises or in-cloud systems, following the "rules" is the only way to get real security (relatively speaking). Amazon is pretty good about security, but you can still leave yourself open to exploit if you don't dot your i's and cross your t's. That said, I think it is still more secure than having to roll your own in a private data center - I've had to deal with both. Amazon provides a lot of tools, help, and documentation to secure your cloud services. To do that on your own is very difficult, and expensive.

Member Avatar for happygeek
happygeek 2,411 Most Valuable Poster

It depends on your definition of security, of course, and whether you factor in the third party access to data stuff. On-premise has the advantage in the 'much stronger' game in as far as at least you know when The Man has got a court order/warrant and been poking about in your data. The same can not be said about all in-cloud or outsourced systems. My beef is just with the dismissive and sweeping 'cloud is much stronger' statement, which is plainly incorrect in every case. Much stronger in many cases, would work for me, or can be stronger depending upon your current circumstances even - but it's not a black and white issue that can be dealt with by such a black and white statement IMHO.

Member Avatar for HarpreetKaur
HarpreetKaur 0 Newbie Poster

I think I have to disagree with Vogel’s view on hybrid cloud, I think having a hybrid cloud is actually one step closer in making the cloud more secure for companies. It allows you to have the best of both worlds – you can keep private the necessary information however still having the option of making some parts of your information publically available. You essentially get the best of both worlds – both public and private cloud. In keeping with the discussion of security in the cloud I think that the location of your data is also very important. For certain industries it is essential to keep information private, this will then come down to which country or region they have stored their data in. Obviously where you can place your data depends on who you want to make that information available to which is an added bonus to security – you know exactly where your data sits. The USA have their patriot act which gives them access to all the information they need/want hence the reason some companies are keen to keep their data away from there all together.

Member Avatar for rubberman
rubberman 1,355 Nearly a Posting Virtuoso

Well, this is an interesting discussion that will continue for some time. The jury is still out as to whether cloud vs. premises systems are more secure. In my "not so" humble opinion, is that they are about equal, and a similar amount of effort is required to secure either. If you have really valuable "family jewels", then you should probably trust them to a bank vault, and not to a wall safe behind your cheap copy of a Rembrandt! In the case of data, a 4K public key encryption policy is probably the equivalent of the bank vault...

Edited by rubberman
Member Avatar for dlhale
dlhale 2 Newbie Poster

I think it is ironic that Vogel's claim is that AWS servers are secure at all when my servers suffer the most abuse from 'bots running on AWS servers! And trying to report it is impossible.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Edit Preview