Cloud computing a 'security nightmare,' says Cisco CEO

If anyone has the right to be excited about cloud computing, it's John Chambers. But on Wednesday, the Cisco Systems Inc. chairman and CEO conceded that the computing industry's move to sell pay-as-you-go computing cycles available as a service on the Internet was also "a security nightmare."

Speaking during a keynote address at the annual RSA security conference, Chambers said cloud computing was inevitable, but that it would shake up the way that networks are secured.

"You'll have no idea what's in the corporate data center," he said. "That is exciting to me as a network player. Boy, am I going to sell a lot of stuff to tie that together."

However, he added, "It is a security nightmare and it can't be handled in traditional ways."

Cloud computing is a hot topic here at the security conference in San Francisco this week. Big computing companies like Cisco and IBM are eager to talk about it, but security experts see a lot of work ahead.

"I think it's really going to be a focal point of a lot of our work in the cybersecurity area," said Ronald Rivest, an MIT computer science professor and noted cryptographer, speaking during a conference panel Tuesday. "Cloud computing sounds so sweet and wonderful and safe ... we should just be aware of the terminology, if we go around for a week calling it swamp computing I think you might have the right mind-set."

Rivest added that he was optimistic about cloud computing's future, but that it was going to take "a lot of hard work" to make it secure.

Show attendees haven't bought into the concept either.

"I'm not seeing a huge benefit in the cloud for us," said Bruce Jones, chief information security officer at Kodak, speaking in an interview.

One of the main problems is that Jones doesn't want to give up control of sensitive data to a nebulous cloud-based computing architecture. For long-term computing projects, it's probably cheaper to simply buy the hardware, he said, although cloud computing could work on a small scale at Kodak.

"It's a pilot or an R&D project where they want to do something and they need some kind of on-demand scalability; it's good for that as long as you don't care about the confidentiality of the data," Jones said.

As data moves onto the cloud, Cisco's security services will become even more important, and the company's ability to dig in and inspect data moving on and off corporate networks will become even more critical, said Tom Gillis, vice president of marketing with Cisco's security technology business unit.

"The move to collaboration, whether it be video or the use of Web 2.0 technologies or mobile devices is really dissolving the corporate perimeter," Gillis said. "This notion of security as a line that you draw in the sand ... that notion is just gone."

And it's not going to come back. Chambers said that his company's use of Web 2.0 technologies such as video blogging and conferencing has mushroomed in the past year. In the first quarter of 2009, Chambers held 262 meetings, he said. Two hundred of them were virtual, using Cisco's TelePresence system. "It's got to be secure as we do this," he said. "This is our lives."

By Robert McMillan


I think there is a misconception that a move to Cloud Computing is inherently insecure. I don't think that is the case. For example, with Google App you can easily utilize multi-factor authentication, or make to it even more secure you can place the Security Assertion server inside your corporate firewall. This would require the user to be on the corporate network before accessing any of the Google Apps. However, this would also cause inconvenience for the mobile user who doesn't like to login into a VPN connection. It is all about trade-offs. My key point is that there is nothing preventing an organization from securing the Cloud Services.

Risk management is important. However what I am seeing right now is that most traditional e-security dept are just concentrating on the the Vulnerability component of the Risk equation:

Total risk = Threat X Vulnerability X Asset value
Residual risk = Total risk - Countermeasures

They are completely leaving out the "likelihood of a event happening" from their analysis.

Countermeasures are put in place to reduce the likelihood of an event, which minimizes the overall residual risk.

In the words of Professor David Deutsch, "Problems are Soluble. Problems are inevitable"

Professor Duetsch goes on to say, "No amount of precautions can avoid problems that we do not yet foresee. Hence we need an attitude of problem fixing, not just problem 'avoidance'. An ounce of prevention equals a pound of cure, but that’s only if we know what to 'prevent'. If you’ve been punched on the nose, then the science of medicine does not consist of teaching you how to avoid punches. If medical science stopped seeking cures and concentrated on prevention only, then it would achieve very little of either."

The traditional Enterprise IT world is buzzing at the moment with plans on how to stop Cloud Computing from entering into the workplace. It ought to be buzzing with plans to reduce the security and privacy risks associated with Cloud Computing and improve data-portability and forensic capabilties. And not at all costs, but efficiently and cheaply. And some such plans exist, host-proof hosting[1], for example.

With problems that we are not aware of yet, the ability to put right - not the sheer good luck of avoiding indefinitely - is our only hope, not just of solving problems, but of making technological progress.

(the above is based on a talk by Professor David Deutsch on problem avoidance)


Post a Comment