UPDATE: Should have known Chris Hoff would have been all over this already. From the Twitter Conversation I missed last night:
Chris, I award you an honorary NewSchool diploma for that one.
From: Amazon Says Cloud Beats Data Center Security where Steve Riley says, “in no uncertain terms: it’s more secure there than in your data center.” Groovy. I’m ready to listen. Steve’s proof?
AWS is working on an Internet protocol security (IPsec) tunnel connection between EC2 and a customer’s data center to allow a direct, management network to EC2 virtual machines.
Well, bad guys might as well give up their metasploit now, huh? Pack it in fellas, Amazon’s got IPSec tunnels!
Any virtual machine generating communications traffic is forced to route the traffic off the host server and onto the data center’s physical network, where it can be inspected. A virtual machine’s attempt to communicate with another virtual machine on the same server is refused. “We prohibit instance-to-instance communication,” another security measure, Riley said.
“inspection” “refused” “prohibit instance-to-instance communication”. These are all relatively soothing words to some, and granted, it’s kind of *all* we can do – but to outright say”cloud is more secure” that’s a pretty big claim. And one that needs to be substantiated by, oh, what’s the word I’m looking for…. data? Or even a logical model, would be interesting, really.
Sorry Steve, I’m NewSchool, I can’t just take your word for it.
The problem is that our current ability to inspect rarely prevents any significant threat, and is very difficult to operate efficiently as a detective control. Refusing/prohibiting non-specified intra VM communication is great. Happy to hear about it. And I’m thrilled that there’s never, ever been any vulnerability and any associated code and that it’s the bestest-estest ever and will never ever have any other vulnerabilities in them.
Look, I’m not saying that using the cloud can’t meet your risk tolerance. I’m cool with cloud computing. I’m not saying “run away from the cloud ahhhhhhhh” or any such nonsense.
What I am saying is that from what we know about software and network security, I find it hard to believe that adding (non-security) computing functions and complexity makes things *more* secure than an exact similar environment *without* that extra computing.
Information Security is not “there’s a weak girder in a bridge so architect a solution to reinforce the bridge”. But unfortunately I have this sinking feeling that as long as the “cloud security” discussion is dominated by IT architects with half a security clue presenting these sorts of engineering solutions with that sort of mindset, we’re just going to have to live with them missing the point.