Cloud computing is insecure because security's not sexy

I was reading Bill Buchan's thoughts on cloud computing and the News International phone hacking case, and he mentioned that voicemail was the first cloud system most people used.

He mused that cloud systems need more security - that they must consider using two-factor passwords, forcing pass{word|phrase} expiration, and so forth.

I don't disagree with him at all. I've had the same password for some cloud services for years now, and I really need to change it. It's on my to-do list, and when I get a quiet moment I'll be doing a massive sweep of my various cloud systems and changing passwords en masse. It's long overdue.

But strict checking at the door doesn't protect you from cookie hijacking or many other man-in-the-middle/credential theft attacks. If I steal your cookies for a website and put them onto my machine, I'm now you. For a while, at least.

What can we do about that?

Well, the three pillars of security are Authentication, Authorisation and Audit.

Bill's approached the problem from an Authentication aspect. Which is valid. But I think we should focus a lot more on Audit, too.

Audit is basically logging. The age old questions of "what happened, when did it happen, where did it happen?".

I can only think of one cloud service which gets even close to providing decent auditing, and that's not the one you'd think it is. It's Facebook.

Facebook forces me to name new machines when I log in to it, and they send me an email informing me of my login. And because everything I do on Facebook is, perversely, pretty much its own audit trail - I have one screen (my profile) where I can figure out what I've done on Facebook recently.

Facebook are ahead of the pack here, because they're trying to keep track of which machines I use them from. It's not perfect, but they're doing well.

Contrast that with webmail systems I use. No logs. I don't know when or where from "Philip Storry" logged in to read his email. I don't know what "I" did, and if "I" deleted something then there may well be no record of it at all.

This is not secure. No audit trail means no security.

Companies like Google, Facebook, Yahoo! and others have some great minds working for them. In some cases, those minds specialise in building systems that sift for relevant data, and deliver it. I can't believe that they're not up to the challenge of decent logging that a consumer could use.

Imagine, next time you log into your webmail system, seeing a notification that says something like:
You have used webmail from two familiar computers and your phone in the past 24 hours. Click here if that sounds suspicious.

That'd be great. It would tell you what you already know easily. If you saw "new computer" in the message, you could click through and look at the logs. Does it match a time when you were checking emails? If not then check if they read, sent or deleted mails. And then react accordingly.

Decent logs should be immutable to the user (that is, you can't edit or delete them), private (only you can see them) and last seven to fourteen days before being purged. Being able to export them for law enforcement purposes if you find anything would also be useful.

If logs are presented well, and if they flag up the abnormal politely enough, users may well become better educated in watching "their" usage and recognising attacks. Which must be good. It would also remind would-be attackers that their activities will be monitored, which again must be good.

The only possible downside is that logs are, by definition, what has happened. I know some people will say it's no good telling people they've been hacked after the fact. I disagree. Knowing you've been attacked is better than not knowing. You cannot address what you don't know.

Look at it this way. Our best minds in real world law enforcement work in detection and forensics - looking at incidents after they happen. Those less, er, mentally able are usually the ones who get to stand by doors and try to stop people from getting in. Computing changes the equation because an authentication system (a very smart guard) can serve a million people as well as it can serve one. But that's no reason to fire all the detectives and forensic scientists.

The cloud lives in a world where it has mediocre door security, and no CCTV or police detectives. If you're lucky, you get a guestbook at the door that people are forced to sign. And that's it.

We should demand better. A decent audit trail isn't hard. We were producing them in the 60's on mainframes, and can produce them just as easily today.

The challenge is in presenting them in a way that assists users without confusing them. And even that's not too challenging.

So why are our cloud systems missing this important aspect of security?

My theory is that within the computer industry, security is usually sold on authentication and authorisation. Things like two-factor authentication, unusual authentication methods like picture selection [PDF link!] and the like make for great demonstrations. They can be made, if not sexy, at least interesting.

Plus, they usually cost a ton of money to implement, and salesmen will always try to sell you the expensive one.

Logging is, unfortunately, just a bunch of text you have to read. And it's cheap, too.

Basically, the computing industry doesn't know how to sell logging, or want to know how to sell it.

That needs to change before we can truly trust the cloud.

Addendum: When I wrote this, I was unaware that Google Mail does have a basic recent usage summary, available as usage details in the bottom left-hand corner. It's a good start, but it's neither visible enough to educate users nor quite useful enough for them to want to read it. But still, it's a good start...

Comments

Good points well made

I agree with everything you've said except the rather short suggested time limit on log retention, and your endorsement of forcing password expiration. The latter invariably forces people to choose a new password at an inopportune moment and makes it more likely they will have to write down the new one in some insecure way...

All things in moderation...

Ben,

Thanks for your feedback. I agree with you on principle, but made compromises that I felt were necessary. ;-)

I went for a short log time because of privacy concerns. Although the logs are private, logging over long terms can be scary for some people - and the last thing decent logging needs is badly written stories about how this is an infringement of privacy or could be misused by law enforcement. (We both know that there are probably more detailed backend logs which law enforcement would prefer anyway for their abuse!)

By going for a short period, you get a decent improvement of security without scaring 99% of users. The time period could always be expanded upwards later - which is probably what would happen, as cloud providers compete with each other. I don't like that I had to factor "scare story reporting" into my requirement, but better to have a less useful feature than outcry and a forced removal...

Forced password expiration doesn't have to be aggressive. It probably shouldn't because of the points you've made! It's tricky finding the balance though. The ideal system probably looks at usage and adjusts with some intelligence - if someone reads their mail every day, it drops the password lifespan. If they log in once a month, then it expands it. There are all kinds of ways to make password expiration less intrusive, and I'd hope cloud providers would take them up more than enterprises have. ;-)