Time to end the cloud-o-phobia

Sorry, but I felt no need to purchase a monocle so I could have it pop out of my eye in horror/dismay/astonishment when I read this article about German police thinking of storing body camera footage on Amazon.

I quote…

Privacy advocates and cyber security experts raised concerns on the choice of German police to store bodycam footage, which may be used as evidence, on Amazon servers.

Are there some valid privacy concerns here? Yes, and there is legislative work to do in this area. But what really annoys me is the general attitude of “cyber security experts” that using cloud resources is inherently less secure than other options.

It is time to get a grip, people – storing things at reputable cloud providers is probably safer (and usually more cost effective) than trying to host them yourself – IF you take the time to understand the correct way to use these platforms and configure their security settings properly.

I read a LOT of data breach reports. Way too many. And one thing that I have noticed is that when breaches occur in cloud platforms (particularly Amazon), the source of the problem always seems to be that the person setting up the system decided to misconfigure security settings. To make matters worse, these misconfigurations usually involve changing access settings from the safe, default settings to unsafe, crappy settings in an effort to “make things easier” on programmers or admins who have not been given the time or training to understand that cloud platforms are not the same as a server in their data center and have a specific “operating system” which includes security settings.

Setting a Linux or Windows admin the task of safely provisioning cloud assets without providing her with the proper training is asking for trouble. You wouldn’t tell a Linux admin to set up a secure Windows server without any Windows specific training, would you? Well, asking someone to secure an AWS or Azure or other cloud provider without vendor specific training and knowledge is what we security professionals call “stupid.”

The cloud seems to be the way we will be doing a lot of our computing in the future. And when I say “future,” I mean “now.” When electricity first became a thing, (rich) people had generators on their estates to produce power. As time went on, the power grid we rely on today replaced this inefficient and costly way of providing power. Computing resources are going in the same direction and we security professionals need to stop wringing our hands about how the world is going to hell in a handbasket and come up with strategies to help our organizations be safe in this new world.

So, rather than chastising the German police for using the cloud, we should applaud them – AND remind them of the need to use the cloud wisely.

Leave a Reply