Security Pie

Encryption != Security

I was reading “Enabling cloud Storage for the Enterprise” white paper from Emulex . First, I’d like to the compliment the unknown author. I’ve read (and wrote) many white papers. This document is among the best.

As always, I have some reservations about the Data Security arguments that were made.

First, the unknown authors claim that “When moving data outside of the data center, as is the case with public cloud storage, security concerns become a top priority” since “When data is kept within the confines of a data center, there are recognized methods for ensuring that it is kept safe”. While I totally agree that there are recognized methods to protect data inside the data center, I do not agree that placing data in the cloud is a top concern. In most cases the end user or even the organization that is placing the data in the cloud is unaware of its location and even if it does, security (unfortunately) is not a top priority. I’m saying that when we discuss security in the context of  ”the cloud” one should demand security. In the same way that business users are demanding secure systems today, they should demand it when “the cloud” is involved.

But there is a bigger problem with the security section of this document. A big problem. There is a logical flow with the main security assumption made in that section since the document assumes that IDA (Information Dispersal Algorithms) is good (“enough” ?) to be used as the method to secure the data.

I have an issue here since the white paper sets an agenda that encrypted data should be considered as secure, since ”To make use of the data in the cloud, a hacker or SSP employee would have to also gain access to a quorum of the data slices stored elsewhere” but we know – by way of living, that no encryption method is secure enough, as the problem is related to the application that will get hacked.

Indeed if the risk that Emulex writes about is related to employees stealing drives with data, then encryption might be good enough (depending upon encryption  management  and so many other factors).  But as we know, security issues are mostly related to the way that the application is accessing the data, which will not be encrypted since the application is required to access the data…  Just think about SQL injection and why it happens…

Bruce Schneier begins his book Secrets and Lies by saying “I have written this book partly to correct a mistake” that he made with his utopian vision of cryptography and algorithms keeping “your deepest secret safe”.  I will allow myself to paraphrase that when it comes to secure Cloud Storage ”Cryptography can’t do any of that”. I suggest that anyone that thinks that security=(only) cryptography will think again.

” … Cryptography is a branch of mathematics. And like all mathematics, it involves numbers, equations, and logic. Security, palpable security that you or I might find useful in our lives, involves people: things people know, relationships between people, people and how they relate to machines. Digital security involves computers: complex, unstable, buggy computers.”

BTW, IDA was developed by Michael Rabin that won the Turing Award in 1976 and the Israel Prize (in computer sciences) in 1995.

Image source: http://ulcercity.blogspot.com/

My friend Dean is inspired by military battle plans. Recently, he used some to explain competitive marketing tactics (sorry, you can’t get those secrets from me). I’m thinking that we shouldn’t stop there. Inspired by the way that Dean is recycling old battle plans (recycling and going green are still very trendy) I decide to find additional solutions.  Amazon’s “new” cloud platform is an ideal candidate.

It’s vulnerable, easy target and holds a lot of strategic value. Bring the Hawks

The Next Generation of Cloud Attack Prevention

Image source: http://www.aladad.org/HawkFiring.jpg

Seriously,