We're doomed to insecurity in the cloud and on thin clients

Every new technology brings the same old security vulnerabilities, along with new ones

Page 2 of 2

It gets worse. Users are going to object to binary security models with thin clients just as they do on PCs and the Internet. As different platforms become more popular, the vendors will be forced to offer more functionality and more granular security. All of that means these devices will likely become as insecure as the platforms they are replacing.

One of my favorite examples is Adobe Acrobat Reader. When all it did was display a document, it was fairly hard to hack. But it became popular and Adobe added features, such as the ability to automatically launch links and executable code from within a PDF document. That ended Reader's free security ride. Today, the software is involved in a sizable percentage of end-user exploits. Adobe releases monthly patches closing dozens of newly discovered and exploited vulnerabilities every year.

I don't blame Adobe. Stay static and your competitor will eat you for lunch. End-users don't buy security; they buy features and coolness. If end-users truly cared about security, OpenBSD would rule the planet. It's free and has a demonstrated 15-year history as the most secure (popular) operating system on the planet. It's the OS of choice for hundreds of thousands of users, but in my two-decade career, I've personally met maybe a dozen people who run it.

Meanwhile, as the cloud gains popularity, some cloud vendors are thinking seriously about security. However, clouds are inherently riskier than traditional platforms, all other factors considered equal. First, all clouds rely heavily on virtualization, but virtualization platforms carry every security risk known to physical computers, as well as guest-to-guest and guest-host risks.

On top of that, clouds have unique risks that aren't found elsewhere, including multitenancy (multiple customers sharing the same database), broad authentication and authorization schemes (not just your private directory service), and lack of location specificity. With the last issue, how can you protect your data when even the vendor probably doesn't know where it is specifically?

This is not to say that clouds can't be more secure than traditional networks. Most traditional networks I've assessed could only be improved by moving some of their data into the vendor's tremendously more secure data center. But I don't think clouds or thin clients will significantly change the amount of vulnerabilities we face each day.

I used to think Internet crime would one day cause a catastrophic tipping point event, where the Internet, as a whole, went down for a day or so. I figured that the tipping point event, similar to the 9/11 attacks, would wake up the world to the Internet insecurities, and we'd eventually fix them.

What I didn't expect is that we'd live with thefts of our money and identity, as bad as it is, as a normal part of life. I especially didn't think that as each new paradigm comes out -- social networking, smartphones, thin clients, cloud computing, and so on -- we'd relive the same problems over and over. You'd think that along the way we'd heed the lessons learned and be proactive in preventing the on the new platforms. But we're not there yet.

This story, "We're doomed to insecurity in the cloud and on thin clients," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

| 1 2 Page 2
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.