It’s hard to protect what you don’t understand. It’s also hard to protect data if you don’t know where it is. If your data has silently been mirrored to a data center overseas while migrating its way around the cloud, how would you know? How would you really be able either to protect it or know with certainty how secure it is? This is the problem with converging data – assuming it will work and be secure, and still interoperate and behave.
If you don’t know where your data is, you may not have much luck protecting it legally, or really knowing how that might happen across different overseas jurisdictions if you run into trouble. In that sense, it’s very hard nowadays to understand what’s really happening in the cloud; you just hope for the best – security-wise.
Not that you can’t know, but there are increasingly layers of abstraction – for market and technical reasons (high percentage marketing-related) – between you and where your data lives. If the markets dictate discount data storage overseas, you can bet some large portion of data will silently ooze there over time. If they dictate that everything should include “Cloud” in the title (rather than the underlying technology – typically a bunch of virtual machines that still need to be secured), then that’s what the brochures will say.
Combine that with multiple endpoints that are increasingly likely to be found in your pocket, purse or backpack, and the perimeter becomes very hard to understand, and harder to protect.
For years, interoperability across platforms has been the bane of technologists. They even have a show about it – Interop – where techies can vent and share stories, bad experiences, and (hopefully) fixes.
But there’s a converging trend towards simplify everything, very likely because managing many nodes instead of one or two is really hard, so it has to be made simple. The problem is, security is still hard. So if you put more big shiny “secure” buttons on your swarm of mobile/cloud/IoT devices, it doesn’t necessarily make it secure. If that were true, no one would be getting hacked now, right?
Sure, the vendors are trying to make security easier by default, but if all you want to see is a big shiny button and you’re not interested in what’s behind that button, it doesn’t make you more secure. It makes you more dependent on your vendors’ ethics.
Some companies that place a high focus on security can succeed if they are able to justify it to investors who typically view security as a money pit. But if market pressures prevail, all you’re left with is a shiny button you hope works.
If that company with the strong security ethics gets silently sold, who can say what the new landlord might dictate? Last year at Interop we watched lots of tech companies going on buying sprees, gobbling up solid tiny tech companies to add to their swelling portfolios. But who’s to say the new umbrella company will have the same sensibilities as the tiny startup that lived, ate and breathed security?
So now security is just as hard, but you have to have high confidence in your staff’s ability to sort through the hype and figure out the real fundamentals of security, and whether a vendor’s doing it well, or just has more shiny buttons than last year. Not even real buttons, but a button likeness on your mobile device.
By Cameron Camp, malware researcher, ESET